←back to thread

89 points a10r | 1 comments | | HN request time: 0.424s | source
Show context
nodesocket ◴[] No.44409539[source]
This looks great and all, but trying to read and digest a multi hundred line bash script seems unrealistic. Full send pipe into bash.
replies(1): >>44409767 #
sgarland ◴[] No.44409767[source]
And this is why this exploit mechanism works so well.

Most installers are doing the same basic patterns: checking for dependencies, checking the distro, etc. It’s not hard to figure these out and spot them in different scripts.

replies(1): >>44410576 #
treve ◴[] No.44410576[source]
Does it work really well? Any major examples?
replies(1): >>44412992 #
sgarland ◴[] No.44412992[source]
OK, fair-ish point. You won’t find major examples, because it’s not a CVE if you willingly download and execute malicious code. I hope you can understand the theoretical (but very real) risks of doing this, though.

For me personally, I try to use a distro/platform specific package if it exists, since hopefully that means at least one human has read through some of the code, and probably installed it. If that’s not available, I do download the script to review before executing it (and not re-downloading it to pipe to a shell). I’m sure I wouldn’t catch everything, but I would probably catch odd embedded curl calls and the like.

replies(2): >>44413542 #>>44447506 #
1. arp242 ◴[] No.44413542[source]
As far as I know there are zero examples, CVE or not. I have asked several times over the years and thus no one has been able to provide an example. It just doesn't happen because it just doesn't make much sense.

As I already said years ago[1], if you want to hide some nefarious stuff then you'd do it in something like autoconf soup, or something like that. The install.sh is just too obvious of a place. And this is exactly what happened in the real-world xz attack. I can guarantee you very few, if any, packagers are auditing all of that. And even if they did: it's just so easy to miss.

[1]: https://www.arp242.net/curl-to-sh.html