Results 1 to 8 of 8

Thread: Curious about a malicious command

  1. #1
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Curious about a malicious command

    Reading about malicious commands, I became really curious about the following:

    WARNING: DO NOT RUN THIS! -->
    Code:
    :(){:|:&};:
    Looking up these commands in the bash manual (man bash), I found that I was unable to decipher it.

    I booted with a Live CD so that it could do no damage, started System Monitor, and tried. My first attempt gave an error:
    bash: syntax error near unexpected token: '{:'
    Well, I expected an error because (according to the manual) '{' and '}' require spaces. So, I re-entered the command with an extra space:
    Code:
    :(){ :|:&};:
    This seemed to work, creating a job in the background. Pressing Enter again showed that the job had already completed:
    [1]+ Done : | :
    As promised, however, the System Monitor showed rapidly increasing CPU and swap, and then the system hung.

    Now, I'm struggling to understand why this should be.

    : -- does nothing.
    () -- supposed to start a subshell, but by itself it simply returns an error, so I don't understand why it works in this case.
    { } -- creates a subset of commands.
    :|:& -- does nothing, but does it in the background.
    ; -- starts a new command.
    : -- does nothing.

    From what I understand, this means, "Do nothing; start a subshell, do nothing and end; start a separate list that does nothing and send it to the background; do nothing."

    So how do all of these bits of "do nothing" manage to hang the machine?
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  2. #2
    Join Date
    Sep 2009
    Location
    Freiburg/Germany
    Beans
    1,112
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Curious about a malicious command

    Code:
    :(){:|:&}
    defines a function named ":" that runs
    Code:
    :|:&
    - that is it calls itself piping its output to another instance of itself (so both instances are running at the same time).

    The remaining
    Code:
    ;:
    just gets the thing started by calling the first instance of ":". And in no time you have millions of this beast running eating up as much CPU, memory and PIDs as possible
    ClassicMenu Indicator - classic GNOME menu for Unity
    Unsettings - configuration program for the Unity
    Privacy Indicator - easily switch privacy settings in Unity
    Arronax - create and modify app starters

  3. #3
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Curious about a malicious command

    Quote Originally Posted by diesch View Post
    ... defines a function named ":"
    Doh!

    I should have figured that one out!

    Thank you very much.
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  4. #4
    Join Date
    Apr 2009
    Beans
    264
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Curious about a malicious command

    It's called a fork bomb. http://en.wikipedia.org/wiki/Fork_bomb

    Out of curiousity, just in case someone could help me solve a debate, is it a sign of a good OS/computer that just goes poof when fork bombed versus going down slowly?

    (Also, the command, as far as I know, isn't dangerous, other than a very sudden crash. But I guess you risk filesystem corruption, maybe?)

  5. #5
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Curious about a malicious command

    Quote Originally Posted by Muscovy View Post
    Out of curiousity, just in case someone could help me solve a debate, is it a sign of a good OS/computer that just goes poof when fork bombed versus going down slowly?
    A "good" OS is one that allows for holes. It's impossible to close all holes. (This is well explained in the dated, but still excellent, Gödel, Escher, Bach by Douglas Hofstadter.)

    Whether the computer fails suddenly (which really means in less time than the human brain would recognise, probably less than a quarter of a second) or over several seconds is probably only a difference in the hardware that you have rather than anything in the OS.
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  6. #6
    Join Date
    Dec 2006
    Beans
    Hidden!

    Re: Curious about a malicious command

    Quote Originally Posted by diesch View Post
    Code:
    :(){:|:&}
    defines a function named ":" that runs
    Code:
    :|:&
    - that is it calls itself piping its output to another instance of itself (so both instances are running at the same time).

    The remaining
    Code:
    ;:
    just gets the thing started by calling the first instance of ":". And in no time you have millions of this beast running eating up as much CPU, memory and PIDs as possible
    Yeah. The reason this is exploitable is precisely that it is a one-liner with a funny appearance.

    It could be written in separate lines and its more understandable
    Code:
    #/bin/sh
    
    bomb() {
        bomb | bomb &
    }
    
    bomb
    The incomplete shebang is intentional.

  7. #7
    Join Date
    Sep 2009
    Location
    Freiburg/Germany
    Beans
    1,112
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Curious about a malicious command

    You can define limits in /etc/security/limits.conf to prevent a fork bomb from eating up all ressources, see man limits.conf
    ClassicMenu Indicator - classic GNOME menu for Unity
    Unsettings - configuration program for the Unity
    Privacy Indicator - easily switch privacy settings in Unity
    Arronax - create and modify app starters

  8. #8
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Curious about a malicious command

    Quote Originally Posted by diesch View Post
    ... /etc/security/limits.conf ...
    Thanks for the note.

    I presume that you would use nproc.

    Even then, you would have a problem, because as the forks fill up your limit, you wouldn't be able to do anything.
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •