Linux will output the content pipeline to your shell's security vulnerabilities

It is a stupid thing to pipe the content of a wget or curl output to bash or sh, such as the following:

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

Wget-o-http://example.com/install.sh | sudo sh

Command interpretation: Wget's-o parameter indicates the output file name, typically followed by a specific filename, where "-" means "written to stdout" is written to the standard output without saving on the local disk, and then the contents of the standard output are passed to the sudo sh command as input.

Such examples are everywhere. Sometimes they also tell you to ignore certificates (see Salt), which are silent.

I think the main reason it is silent (rather than running arbitrary commands on your machine, based on user agents to deceive you) is its failure mode (failure mode).

What happens if the connection is closed halfway? Let us witness together!

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

(echo-n "echo \" Hello\ ""; cat) | Nc-l-P 5555

Command explanation:

(1) The-n parameter of ECHO indicates that the "\ r \ n" behavior is not added at the end of the output, that is, the newline character is not explicitly added (the default is added);

(2) The cat command will only end if it encounters a newline character, or it is in a pending state until the line break is encountered;

(3) NC command is a network detection tool, the specific use of Google, here-L refers to in the listening mode,-P 5555 is in Port No. 5555 to monitor.

This sends a command to the connector, but does not send a newline character, so it is always in a pending state. Let's connect to this client:

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

NC localhost 5555 | Sh

At first, nothing will happen. Very good! What happens if we use the kill-9 command to force the killing of the netcat that is listening? Does the sh command execute some of the commands in its buffer?

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

NC localhost 5555 | Sh

Hello

Process Description:

(1) How to kill the netcat that are listening?

First with Ps-auf | grep NC Command found "(echo-n" echo \ "Hello\"; cat) | Nc-l-P 5555 "the process PID of the Listener command, and then kill-9 the PID to kill it."

(2) "Hello" is to kill the NC listening process after the connection to the client side of the output, how to output?

After the connection is closed, "(echo-n" echo \ "Hello\"; cat) | Nc-l-P 5555 "pipe Input in command" (echo-n "echo \ hello\" ")" will be stored in a temporary buffer, at which point the connecting party "NC localhost 5555 | "NC localhost 5555" in SH will receive the contents of the buffer, which means the command for the connecting party becomes:

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

(echo-n "echo \" hello\ ") | Sh

Of course the output is hello.

It can be seen from the above, really implemented, if the change for wget or Curl command?

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

Wget-o-http://localhost:5555 | Sh

--2013-10-31 16:22:38--http://localhost:5555/

resolving localhost (localhost) ... 127.0.0.1

connecting to localhost (localhost) |127.0.0.1|:5555 ... Connected.

HTTP request sent, awaiting response ... No headers, assuming http/0.9

Length:unspecified

Saving to: ' STDOUT '

[<=>]--.-k/s in 8.6s

2013-10-31 16:22:47 (1.40 b/s)-written to stdout [12]

Hello

Visible, the result is the same.

What if this part of the command is not harmless echo but the following commands?

[Plain] View plain copy on the code to see a piece of coding derived to my Code slice

Tmp=/tmp

Tmp_dir= ' Mktemp '

RM-RF $TMP _dir

Harmless? Are you sure? What if you close the connection immediately after the command "RM-RF $TMP" is sent? This will delete all the files in the temp directory, which is quite harmful.

It seems unlikely that such a thing would happen, but once the result is sent, even if it happens once, the consequences can be catastrophic and we regret it.

So, friends, please do not give the output of any command to your shell as input pipe.

Compiled from the Hacker monthly #45 "existential type Crisis:don ' t Pipe to your Shell", this article on the basis of the original text with their own understanding slightly modified.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/OS/Linux/