October 25, 2014 · fun linux security

Never copy-paste to root terminal from websites


Some guys from time to time copy some useful (or not) commands from Web to their (root!) terminal.
And many thanks to Jann Horn for showing the dangerous of this (http://thejh.net/misc/website-terminal-copy-paste).

In a nutshell this is just a css-play, some part of text aren't showing. And when someone see some command like
emerge --update --deep --newuse @world it may have anything (include rm -rf /* or opening reverse shell in bash).

Try to copy and paste some of this commands, it safety, I promise :D

emerge &> /dev/null;if [ $EUID = 0 ]; then echo 'You still paste in root terminal?';else echo 'Not a root. Good!';fi; echo &>/dev/null
--sync

or

ls &> /dev/null;if [ $EUID = 0 ]; then echo 'You still paste in root terminal?';else echo 'Not a root. Good!';fi; echo &>/dev/null
-l ~

or even

dat&> /dev/null;if [ $EUID = 0 ]; then echo 'You still paste in root terminal?';else echo 'Not a root. Good!';fi; echo &>/dev/null
e
Hey, it's just a date command. It's safety.
But what inside? 

dat&> /dev/null;if [ $EUID = 0 ]; then echo 'You still paste in root terminal?';else echo 'Not a root. Good!';fi;e

In this command, between dat and e contains another command, it just hidden using css.
Look in html source:

<div>  
 <strong>dat
  <text style="display:inline;font-size:0.1px;position:absolute;top:0;left:0">&amp;&gt; /dev/null;if [ $EUID = 0 ]; then echo 'You still paste in root terminal?';else echo 'Not a root. Good!';fi; echo &amp;&gt;/dev/null    <br>
  </text>e
 </strong>
</div>

Sure, this is a very primitive code. But this is a reason to think twice before paste something from a website to a terminal directly. If you doubt, use vim (or any editor) to check what actually you are pasting.

Take care!

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus