Piping curl to bash: Convenient but risky

The curl | bash command is a popular shortcut for downloading and executing scripts. This approach is often used for installing software packages and tools. However, despite its convenience, piping curl to bash poses serious security risks that users should be aware of.

How the attack works

This attack hinges on the fact that when you pipe curl to bash, the shell begins executing the script before it’s fully downloaded. Attackers exploit this behavior by crafting scripts that detect when they are being piped to bash. They do this by measuring the time it takes for different parts of the script to be requested by your system.

Here’s a breakdown:

  • The attacker crafts a special script: This script includes commands that introduce delays, like sleep, and large chunks of hidden characters that don’t get displayed in your terminal.
  • You use curl | bash: When you execute the command, your system starts running the script as it’s downloaded.
  • The attacker’s server detects the delay: If the script is being piped to bash, the delays introduced in the script will cause noticeable pauses in the download time. The attacker’s server can detect these pauses.
  • The server delivers a malicious payload: Once the server confirms that the script is being piped to bash, it sends the malicious part of the script.
  • You are none the wiser: Since the malicious commands are hidden within the script, you might not realize anything is amiss until it’s too late.

Real-world implications

this isn’t just a theoretical attack. Proof of concept code exists demonstrating how this attack can be carried out. The implications are serious because attackers can use this technique to gain unauthorized access to your system.

Protecting yourself

The best way to avoid this attack is to avoid piping curl (or wget) directly to bash. Here are safer alternatives:

  1. Download and review: Download the script first using curl or wget, inspect it, and then run it separately. This gives you a chance to examine the code for anything suspicious.
  2. Use package managers: Whenever possible, rely on trusted package managers for software installation. These tools often have security mechanisms in place to verify the integrity of packages.

Conclusion

While curl | bash seems like a quick and easy solution, the risks far outweigh the convenience. By understanding this attack and adopting safer practices, you can significantly improve your security posture.