zlacker

[parent] [thread] 3 comments
1. e12e+(OP)[view] [source] 2018-07-29 11:20:15
Quote(trying to fit it to narrow widt, for others on mobile):

  curl -s \
  'https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61'
  | gpg --import \
  && if z=$(curl -s 'https://install.zerotier.com/' | gpg);
  then echo "$z"
  | sudo bash;
  fi
It's interesting - it tries to import a given gpg key from keyserver, then grabs a gpg armored text file with a bash header - with the gpg header wrapped in a here-document:

  #!/bin/bash
  <<ENDOFSIGSTART=
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256

  ENDOFSIGSTART=
I'm unsure, but I think you could just stick your malicious code before the signature?

  #!/bin/bash
  sudo much_evil
  <<ENDOFSIGSTART=
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256

  ENDOFSIGSTART=
So it really isn't any better, as far as I can tell. There's also a trade-off between scripts that can be typed (curl https://i.com.com) and need copy-pasting - as copy-pasting also isn't safe - even if that's a somewhat different attack vector (compromising the web site, altering js depending on visitor).
replies(1): >>api+hf
2. api+hf[view] [source] 2018-07-29 15:02:53
>>e12e+(OP)
Putting malicious code before the signature doesn't work because gpg chops it out. It only outputs the verified part.

It is definitely a kludge though.

replies(1): >>e12e+wy
◧◩
3. e12e+wy[view] [source] [discussion] 2018-07-29 18:55:01
>>api+hf
So the shebang is redundant, except for testing during development? [ed: and for allowing the daring to just do curl|bash, I guess]
replies(1): >>api+IN1
◧◩◪
4. api+IN1[view] [source] [discussion] 2018-07-30 14:04:04
>>e12e+wy
It's not strictly necessary, no.
[go to top]