install script is cURL'd with -k resulting in an insecure transfer and possible arbitrary code execution on my machine.
Steps to Reproduce
run any of these without miniconda installed:
scripts/windows/win_install.bat
scripts/macos/macos_install.sh
scripts/linux/linux_install.sh
pwned
Possible Solution
don't curl executable things insecurely
Context
Below is a copy of the text I had put in a security advisory on both this repository and oobabooga/text-generation-webui as of early December. The response from the maintainers has been radio silence, so I am publishing the text here so that people can know/protect themselves.
Security Advisory
Summary
An unsafe command line argument being passed to cURL allows the Miniconda installer download to be MITM'd.
This downloaded script is subsequently run, potentially resulting in arbitrary code execution on user machines.
Details
Here's an example from scripts/linux/linux_install.sh
echo "Downloading Miniconda installer from $MINICONDA_DOWNLOAD_URL"
curl -LOk "$MINICONDA_DOWNLOAD_URL"
It passes the -k argument to cURL.
cURL man page documentation for -k:
-k, --insecure
(TLS SFTP SCP) By default, every secure connection curl makes is
verified to be secure before the transfer takes place. This
option makes curl skip the verification step and proceed without
checking.
When this option is not used for protocols using TLS, curl
verifies the server's TLS certificate before it continues: that
the certificate contains the right name which matches the host
name used in the URL and that the certificate has been signed by
a CA certificate present in the cert store. See this online
resource for further details:
https://curl.se/docs/sslcerts.html
For SFTP and SCP, this option makes curl skip the known_hosts
verification. known_hosts is a file normally stored in the
user's home directory in the ".ssh" subdirectory, which contains
host names and their public keys.
WARNING: using this option makes the transfer insecure.
The operative line is at the end:
WARNING: using this option makes the transfer insecure.
Impact
All users of the following installer scripts are affected:
Expected Behavior
a secure download of the Miniconda install script
Current Behavior
install script is cURL'd with
-k
resulting in an insecure transfer and possible arbitrary code execution on my machine.Steps to Reproduce
run any of these without miniconda installed:
scripts/windows/win_install.bat
scripts/macos/macos_install.sh
scripts/linux/linux_install.sh
pwned
Possible Solution
don't curl executable things insecurely
Context
Below is a copy of the text I had put in a security advisory on both this repository and oobabooga/text-generation-webui as of early December. The response from the maintainers has been radio silence, so I am publishing the text here so that people can know/protect themselves.
Security Advisory
Summary
An unsafe command line argument being passed to cURL allows the Miniconda installer download to be MITM'd.
This downloaded script is subsequently run, potentially resulting in arbitrary code execution on user machines.
Details
Here's an example from
scripts/linux/linux_install.sh
It passes the
-k
argument to cURL.cURL man page documentation for
-k
:The operative line is at the end:
WARNING: using this option makes the transfer insecure.
Impact
All users of the following installer scripts are affected:
scripts/windows/win_install.bat
scripts/macos/macos_install.sh
scripts/linux/linux_install.sh