blind copy&paste considered harmful

Posted by Nico Golde in
Wednesday, January 7. 2009

We all know it's not a good idea to copy things in your terminal you don't really understand, for example all these nice perl snippets that delete your home directory or do even worse things.

But what about shell snippets you do understand? Do we really need obfuscation? What about the following?

i=0
while [ $i -lt 10 ]; do
    echo FOO-$i
    i=$(($i+1));echo "YOU SHOULD NOT JUST DO BLINDY COPY STUFF INTO YOUR TERMINAL";i=0
done

This was one of the neat things ascii showed in his talk Tricks: Makes you smile at the 25c3 congress.

I know we are all aware of the fact that c&p is not a good idea in most cases, but who hasn't copied config snippets from the net so far? We are all lazy ;-)

The problem here is that some browsers (e.g. firefox) do not display text that is surrounded by
<span style="display:none"></span> while the string that is not displayed will be happily copied into your X11 buffer and later pasted. Interestingly opera(I tested 9.63) only copies the visible text so its users are not vulnerable to this specific problem.

Check out the talk, it includes quite some other interesting things.

UPDATE: while the above example doesn't work in opera it seems that there is a way to defeat operas filter, check out the uname example on: http://ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/howto.html (thanks ascii for pointing that out).

Comments (2) - Trackbacks (0)
Defined tags for this entry: , , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Hi nion, i have just replied your comment about Opera (and why it's vulnerable too to this kind of attack).

Check http://www.ush.it/2009/01/06/25c3-ccc-congress-2008-tricks-makes-you-smile/#comment-28377 to read it, it contains other details not included in the article.

I really hope to release a more specific article on that specific technique in the near future.

Thanks for the review!
ascii - ush.it
#1 ascii (Homepage) on 2009-01-07 12:35 (Reply)
thanks, updated!
#1.1 nion on 2009-01-07 20:20 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
 
 

Calendar

Back November '15
Mon Tue Wed Thu Fri Sat Sun
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Quicksearch

Support



=>my website

Recent Entries

E-Plus GSM privacy/TMSI allocation leak
Thursday, October 11 2012
Exploiting the Ubiquisys/SFR femtocell webserver (wsal/shttpd/mongoose/yassl embedded webserver)
Wednesday, August 3 2011
So what happened recently...
Wednesday, April 6 2011
Sunday, February 6 2011
exim remote vulnerability
Thursday, December 9 2010
Will my Phone Show An Unencrypted Connection?
Wednesday, September 8 2010
smpCTF 2010 quals writeups
Sunday, August 8 2010
protocol design fail: MMS notification
Wednesday, July 28 2010
acrobat reader stealing my passwords
Tuesday, June 29 2010
UnrealIRCd backdoored
Saturday, June 12 2010

Archives

Syndicate This Blog

Categories



All categories

Tag cloud