Linux security vulnerability: Do not pipe the output content to your shell

Linux security vulnerability: Do not pipe the output content to your shell

It is silly to pipe the content output by wget or curl to bash or sh, for example:

wget -O - http://example.com/install.sh | sudo sh

Command explanation:The-O parameter of wget indicates the output file name, which is followed by a specific file name. Here, "-" indicates "written to stdout", which is written to the standard output instead of saved on the local disk, then pass the content in the standard output to the sudo sh command as input.

This example can be seen everywhere. Sometimes they tell you to ignore the certificate (look at the Salt), and these operations are silent. I think the main reason for this is its failure mode (instead of running arbitrary commands on your machine and deceiving you based on user agents ). What happens if the connection is closed halfway? Let's witness it together!

(echo -n "echo \"Hello\""; cat) | nc -l -p 5555

  Command explanation:(1) The-n parameter of echo indicates that the "\ r \ n" action is not added at the end of the output, that is, the line break is not explicitly added (Added by default); (2) the cat command ends only when a line break is encountered. Otherwise, the cat Command remains suspended until the line break ends. (3) The nc command is a network detection tool. For more information, see Google, here,-l indicates that it is in listening mode, and-p 5555 indicates listening at port 5555. This will send a command to the connection end, but it does not send a line break, so it will remain suspended. Let's connect to this client:

nc localhost 5555 | sh

At the beginning, nothing will happen. Good! What happens if we use the kill-9 command to forcibly kill the netcat being monitored? Does the sh command execute some commands in its buffer?

nc localhost 5555 | shHello

Process description:(1) how to kill the netcat being monitored? First, use the ps-auf | grep nc command to find "(echo-n" echo \ "Hello \" "; cat) | nc-l-p 5555 "indicates the process pid of the listening command, and kill-9 indicates that the pid can be killed. (2) "Hello" is the output result of connecting to the client after killing the nc listening process. How can this result be output? "(Echo-n" echo \ "Hello \" "; cat) | the pipeline Input in the nc-l-p 5555 command "(echo-n" echo \ "Hello \" ")" will be saved to the temporary buffer zone, in this case, "nc localhost 5555" in "nc localhost 5555 | sh" will receive the content of the buffer, that is, the connection's command will change:

(echo -n "echo \"Hello\"") | sh

Of course Hello is output.

We can see from the above that the command is actually executed. What if it is changed to the wget or curl command?

wget -O - http://localhost:5555 | sh--2013-10-31 16:22:38--  http://localhost:5555/Resolving localhost (localhost)... 127.0.0.1Connecting to localhost (localhost)|127.0.0.1|:5555... connected.HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9Length: unspecifiedSaving to: `STDOUT'    [          <=>                                                  ] 12          --.-K/s   in 8.6s2013-10-31 16:22:47 (1.40 B/s) - written to stdout [12]Hello

The result is the same.

What if these commands are not harmless echo but the following commands?

TMP=/tmpTMP_DIR=`mktemp`rm -rf $TMP_DIR

Harmless? Really? What if the connection is closed immediately after the command "rm-rf $ TMP" is sent? This will delete all files in the temp directory, which is quite harmful. It seems that this is unlikely to happen, but once such a result is sent, even if it only happens once, the consequences may be disastrous and we can't regret it. So, friends, please do not use the output content of any command as the input pipeline to your shell.

This article permanently updates the link address: