They are solving the problem that should not have existed. Simply include the binaries into the installer.
Also I wouldn't run suspicious third-party binary installer anyway. If it is not in the official repositories, it doesn't get installed, because I have no time to figure out if it is a safe software or not, what it will do to my system, does it include telemetry, and I have no time to build a sandbox.
Update: Checked the script, and not only does their official installer not verify the download at all - it immediately executes it.
Therefore, it's trivially possible to RCE someone running this script you are MITMing - block all the HTTPS connections, and then replace the binary in the HTTP connection with malware.
Frankly this vulnerability is so obvious and so negligent that I would never use this tool, which is unfortunate as it sounds like a cool idea.
Since /dev/tcp doesn't work with https, complex redirect chains or even dns sometimes, almost all mentions of it in the hacking articles online are not that useful
We had to make soar's install script be able to work anywhere, In the article you get to know about http://http.pkgforge.dev & how you can use it to make /dev/tcp finally practical & useful in the modern https age
[+] [-] codedokode|10 months ago|reply
Also I wouldn't run suspicious third-party binary installer anyway. If it is not in the official repositories, it doesn't get installed, because I have no time to figure out if it is a safe software or not, what it will do to my system, does it include telemetry, and I have no time to build a sandbox.
[+] [-] unknown|10 months ago|reply
[deleted]
[+] [-] cmeacham98|10 months ago|reply
They can be but _are_ they? Does their installer actually verify the checksum?
Because if it's designed for systems so minimal/broken they can't do normal HTTPS, I kinda doubt it...
[+] [-] cmeacham98|10 months ago|reply
Therefore, it's trivially possible to RCE someone running this script you are MITMing - block all the HTTPS connections, and then replace the binary in the HTTP connection with malware.
Frankly this vulnerability is so obvious and so negligent that I would never use this tool, which is unfortunate as it sounds like a cool idea.
[+] [-] ptsneves|10 months ago|reply
[+] [-] yonatan8070|10 months ago|reply
Does bash "overlay" /dev/tcp over the filesystem? If the kernel created an actual /dev/tcp file, would bash be unable to access it or...?
[+] [-] smw|10 months ago|reply
(requires bc, doesn't validate cert chain)
[+] [-] azathothas|10 months ago|reply
We had to make soar's install script be able to work anywhere, In the article you get to know about http://http.pkgforge.dev & how you can use it to make /dev/tcp finally practical & useful in the modern https age