zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. kazina+S6[view] [source] 2018-07-29 04:04:26
>>rubyn0+(OP)
You could just have the script detect that its stdin is a pipe. E.g., Linux specific:

  $ echo 'ls -l /proc/$$/fd/0' | bash
  lr-x------ 1 kaz kaz 64 Jul 28 21:03 /proc/23814/fd/0 -> pipe:[4307360]
Here, our script consists of the ls command; it shows that when we pipe it to bash, it finds fd0 to be a pipe.

We can make some code conditional on this to produce a "don't run this script from a pipe" diagnostic.

This is superior to the dodgy, delay-based server side detection because it is reliable.

Also, it still works when someone does this:

  $ curl <url> > file
  $ cat file | bash
Of course, no protection for

  $ bash file
◧◩
2. ericpa+q7[view] [source] 2018-07-29 04:20:02
>>kazina+S6
This logic would be detectable to a user who reads the script. The goal here is to trick users who first inspect the script and then `curl | bash`
◧◩◪
3. nerdpo+P7[view] [source] 2018-07-29 04:27:27
>>ericpa+q7
If you downloaded the script to inspect it, why would you not just run the script that you downloaded?
◧◩◪◨
4. IshKeb+zj[view] [source] 2018-07-29 09:28:04
>>nerdpo+P7
There's more than one user. You don't want any of them to find the malicious code.
[go to top]