An unmodified curl invocation does not require weird timing based attacks, it se...

y4mi · on Nov 9, 2019

different attack vector.

by detecting the usage of `curl | bash` you can serve a different script only when someone does it, so someone doing `curl -O /tmp/some_script.sh` to audit the script wont see the harmful code.

It opens you up to a literally undetectable attack.

nonetheless, the point of the article author does have some truth. there is always a degree of trust involved when you're installing binaries from a third party. by using curl|bash you're just increasing the required trust a bit.

zshev · on Nov 9, 2019

> It opens you up to a literally undetectable attack.

This is the crux of it for me. This is why it is dangerous. The author appears to have overlooked this attack vector entirely.

vbezhenar · on Nov 9, 2019

Is it undetectable? `curl | tee file | bash` should detect IMO.

tln · on Nov 9, 2019

True, you can detect it without a way to stop the damage! Or easier and more thorough,

    curl | bash -x

y4mi · on Nov 10, 2019

Piping through tee doesn't trigger the sever side detection (it doesn't stop to read every few ms) and using the x flag isn't inherited, so it's gone as soon as subshells are invoked, which is pretty normal for an installation script.

This has all been mentioned in the linked comment thread

tln · on Nov 10, 2019

Actually the server side detection in [0] isn't really affected by putting tee in the middle... and neither does -x, of course.

Good point about -x being fallible to an adversarial script, even a simple set +x would be enough!

Where's the link where this has been mentioned? I missed it.

0: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

tulunsutao · on Nov 9, 2019

Use disposable virtual machine to isolate the damage, while dumping the script, this way we can detect attack without compromising ourself.