Also I wouldn't run suspicious third-party binary installer anyway. If it is not in the official repositories, it doesn't get installed, because I have no time to figure out if it is a safe software or not, what it will do to my system, does it include telemetry, and I have no time to build a sandbox.
Does bash "overlay" /dev/tcp over the filesystem? If the kernel created an actual /dev/tcp file, would bash be unable to access it or...?
They can be but _are_ they? Does their installer actually verify the checksum?
Because if it's designed for systems so minimal/broken they can't do normal HTTPS, I kinda doubt it...
Therefore, it's trivially possible to RCE someone running this script you are MITMing - block all the HTTPS connections, and then replace the binary in the HTTP connection with malware.
Frankly this vulnerability is so obvious and so negligent that I would never use this tool, which is unfortunate as it sounds like a cool idea.
This is the DEFAULT fallback behavior in their installer - not something that only happens on legacy machines.
If I install a project from GitHub on the airport WiFi I'm assuming that the authors know what they're doing and I'm not potentially getting silently MITMed. And when I find out the authors don't know what they're doing to this extreme extent, I note down to never use their project.
(requires bc, doesn't validate cert chain)
azathothas•8mo ago
We had to make soar's install script be able to work anywhere, In the article you get to know about http://http.pkgforge.dev & how you can use it to make /dev/tcp finally practical & useful in the modern https age