Curlbomb and Greetings from EnigmaCurry

First a shoutout to @wendell :

Hey Wendell, I watch a shit-ton of youtube, so to say you're my favorite youtuber... might be a bit of a stretch, but I can tell you that you and only two other channels share the privilege of notifying me of new episodes as a popup on my phone. Everything else I watch I see it from the youtube home page whenever I get around to it, but new episodes from Tek Linux is something I want to get my hands on right away, because your videos are SPOT ON sir! I followed your guide on PCI passthrough with KVM, I now own a monster of a PC with 8 cores and two video cards... then I remembered that I hate actually playing video games (I really just like reminiscing) and haven't used it for that. Oh well, I really enjoyed seeing that project work. So now I'm in the process of just setting up this hardware for my regular Linux desktop. New hardware is nice! But I promised myself this time that I would set things up the RIGHT WAY, automating/documenting everything so that I can set everything up again from scratch and be able to maintain a clean machine at all times. (I'm just started down the path of completely automating my Arch Linux installation with saltstack... but that's not ready for primetime public use yet.)

That brings me to your latest video on sandstorm - I don't use sandstorm, and honestly I'm not likely to, because I have some different methods to accomplish something similar for myself - but I really liked how the video was presented. At one point in that video you expressed some well-appreciated hesitation in installing via curl | bash. Soo many people don't even think twice about the implications of that sort of thing.

I've been working on a project that tries to salvage the convenience of those "curl bombs" while adding some much needed security features. The project is on my github called curlbomb. Check it out, as I think it's pretty neat and I think that you might appreciate it too. A word of warning though, it's beta. I haven't received much feedback on it all yet.

And last but not least... Hello to the Tek Syndicate forums! I'm totally new here, but love what I see here. I hope to interact with more of you in the future, and if you have any comments or questions about any of my software, I'm here to talk tech :)

4 Likes

I wanted to see if I could make a trusted curlbomb for sandstorm, this is what I came up with:

You run it like this on the computer you have curlbomb installed on:

curlbomb --unwrapped -1 run sandstorm_curlbomb.sh

(--unwrapped is required for interactive scripts like sandstorm's)

Then on your server (I tested on a digital ocean droplet) run the command it outputs, like:

/bin/bash <(curl -LSs https://example.com:8080/r -H "X-knock: nGL3RM8nO2pT3ZED")

The curlbomb version of this hard codes the PGP key of the sandstorm devs into the script and then downloads the latest sandstorm installer and verifies against the hard coded key. It then automatically starts the installer if the verification succeeds.

You still have to trust the sandstorm devs, no way getting around that, but at least it takes some of the edginess off the curl | bash.

1 Like

Actually, it's kind of lame to push the script verification onto the client when it could be done much more easily within the curlbomb server.

Here's an easier way, with new options I've added to curlbomb:

Download (and verify yourself!) the sandstorm pgp keys if you don't have them already:

curl https://raw.githubusercontent.com/sandstorm-io/sandstorm/master/keys/release-keyring.gpg | gpg --import

Now download the sandstorm install script into curlbomb:

curl -s https://install.sandstorm.io/install.sh | \
curlbomb --pipe run --signature https://install.sandstorm.io/install.sh.sig [email protected]

In one line that downloads the sandstorm installer, verifies the signature is from the given email address ([email protected]), and then serves the curlbomb to the client like before. The client no longer does any gpg verification, as it's now just trusting that curlbomb is doing that for them.

If you didn't have the sandstorm pgp keys in your keyring, or if the verification failed, curlbomb would output an error before the client could even download:

ERROR:curlbomb.run:Invalid signature for resource

(EDIT: updated for curlbomb 1.4.0 syntax)

1 Like

Not looked at the code yet but this looks like a interesting little project. @wendell might find it useful ..

1 Like