Curl to shell isn't so bad

[y4mi]

different attack vector.

by detecting the usage of `curl | bash` you can serve a different script only when someone does it, so someone doing `curl -O /tmp/some_script.sh` to audit the script wont see the harmful code.

It opens you up to a literally undetectable attack.

nonetheless, the point of the article author does have some truth. there is always a degree of trust involved when you're installing binaries from a third party. by using curl|bash you're just increasing the required trust a bit.

[zshev]

> It opens you up to a literally undetectable attack.

This is the crux of it for me. This is why it is dangerous. The author appears to have overlooked this attack vector entirely.

[vbezhenar]

Is it undetectable? `curl | tee file | bash` should detect IMO.

[tln]

True, you can detect it without a way to stop the damage! Or easier and more thorough,

    curl | bash -x

[y4mi]

Piping through tee doesn't trigger the sever side detection (it doesn't stop to read every few ms) and using the x flag isn't inherited, so it's gone as soon as subshells are invoked, which is pretty normal for an installation script.

This has all been mentioned in the linked comment thread

[tln]

Actually the server side detection in [0] isn't really affected by putting tee in the middle... and neither does -x, of course.

Good point about -x being fallible to an adversarial script, even a simple set +x would be enough!

Where's the link where this has been mentioned? I missed it.

0: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

[tulunsutao]

Use disposable virtual machine to isolate the damage, while dumping the script, this way we can detect attack without compromising ourself.