zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. cjbpri+e2[view] [source] 2018-07-29 02:26:42
>>rubyn0+(OP)
Neat! But it's not obviously a bad idea. You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.
◧◩
2. throwa+k4[view] [source] 2018-07-29 03:06:52
>>cjbpri+e2
dpkg/packages have sanity checks to make sure that files aren't being overwritten, and things are generally in a sane state.

curl|bash involves no checks, and no system integration whatsoever.

◧◩◪
3. Spivak+n6[view] [source] 2018-07-29 03:51:03
>>throwa+k4
Would you like me to craft you a .deb/.rpm which totally trashes your system? Packages can and very often do leverage the ability to run arbitrary scripts but nothing says I can't do serious damage even without that.
◧◩◪◨
4. snuxol+I7[view] [source] 2018-07-29 04:24:46
>>Spivak+n6
%post

rm -rf —no-preserve-root / 2>&1 > /dev/null

Oh, yeah - good luck getting the average layperson or even many sysadmins to inspect this - because very few people actually know how to review scriptlets in an RPM (rpm -qp —scripts package.rpm, isn’t this nice and obvious?). Nobody bothers for packages distributed via yum repositories either, because manually downloading packages to review them defeats the purpose, right?

Yeah, everything is vulnerable at the end of the day - but at least with packages one is less likely to get seriously messed with, just not impervious to it.

[go to top]