This is based on a post on Life Plus Linux entitled “Look before you paste from website to terminal”. It details a very simple but cleverly crafted method of giving the user a seemingly benign string to execute into their Linux terminal window with CSS used to hide extra commands.
In this instance, the command looked like ls -lat
. This shows all files in the current directory ordered by date. However, between ls
and -lat
was some text, hidden by some fairly simple CSS. When the text is pasted directly into the terminal, did something the user probably didn’t expect, or indeed want.
I wondered to myself whether this was possible on Windows and so I set about doing exactly that. Not long after, I came up with the following example which you can try out for yourself.
Go ahead and copy and paste the below into your command prompt:
dir &
cls & echo Haha! You gave me access to your computer! &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ## (10%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ### (20%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ##### (33%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ####### (40%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ########## (50%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ############# (66%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ##################### (99%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ####################### (100%) &
cls & echo Hacking complete. &
echo Use GUI interface using visual basic to track my IP &
ping 127.0.0.1 -n 5 > nul &
cls
dir /w /p
I assure you that this example is safe and will do no harm to your computer, but you should check the contents of your clipboard just to be sure. Below is how it should look if my Markdown blog doesn’t fluff the HTML too much.
Apart from the fact that your command window started spitting out text you weren’t expecting, you might also notice that you didn’t have to press enter/return - Windows actually interprets the line breaks as new lines and executes it accordingly. So, unless you examine your clipboard contents first in a text editor like Notepad, you could be executing something that can cause very serious damage to your machine.
Whilst, that little example above is jokey, it’s not difficult to craft yourself with some basic CSS, and then turn it into something far more malicious. Given that many developers (including myself) use a command prompt with administrative privileges, the possibilities are somewhat worrying.
And so here, it the rant…
It’s far too easy for a lazy, novice or trusting developer to simply paste code pulled from a website like Stack Overflow* into a command prompt and execute it without understanding what it could do. Furthermore, Windows offers absolutely no guidance whatsoever when it comes to pasting potentially dangerous commands into the prompt.
This is especially true when there are sites like Chocolatey** that tell you to do exactly this!
If you run Cmder and try to paste the above example in, you’ll actually get two warnings, you lucky bugger! The first will let you know that it’s been given multi-line contents which will force the command prompt to execute them. The second informs you that you’re pasting a long clipboard entry into the console and executing the command may lock the console. Both should be red flags given that you should have a reasonable idea that the 10-character long sample is actually nearly 1000 characters! In both cases, you can choose to cancel, which would prevent this from happening.
If you’re interested, I created a fully-functioning Plunker and Github Gist example which you can try for yourself. And here is the HTML for the dir /w /p
example.
<code style="padding:10px;">
<span>dir</span>
<!-- Here, you can see that: -->
<!-- The text colour is the same as my blog background and it's also positioned way off the page. -->
<span style="color:#EEE; position:absolute; left:-1000px; top:-1000px; height:0px; z-index:-100; display:inline-block;">&
cls & echo Haha! You gave me access to your computer! &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ## (10%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ### (20%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ##### (33%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ####### (40%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ########## (50%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ############# (66%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ##################### (99%) &
ping 127.0.0.1 -n 2 > nul &
cls & echo h4cking ####################### (100%) &
cls & echo Hacking complete. &
echo Use GUI interface using visual basic to track my IP &
ping 127.0.0.1 -n 5 > nul &
cls
<br>dir
</span>
<span>/w /p<br></span>
</code>
Tl:dr Do not copy/paste commands from websites into your command prompt without examining the clipboard contents FIRST!
* I singled out Stack Overflow here as an example of a site which developers frequently copy and execute code from. I’m not suggesting that the Stack Overflow website allows malicious users to craft code samples in such a way as above in order to execute this. That being said, Plunker is often used to provide a more complete answer when HTML, CSS and JS are involved. As shown above, this ‘problem’ can and will occur on Plunker.
** Full disclosure: I’m a member of the Chocolatey organisation.