Don't Curl Me!

To view our proof of concept, try running this (it's relatively harmless):


What does it do?

This example makes your terminal ding if supported, and garbles any further input or output in that terminal session, without making any permanent changes. Exit the session to reset it.

View it here

How does it work?

When cUrl fetches a website, it prints the raw contents to standard output, including ASCII escape characters.

When a terminal emulator comes across an ASCII escape character, it does what the escape sequence tells it to do.

This allows us to make your terminal go "ding", garble all text output from your terminal and hide things like malicious code.

How can I stop it?

cat -v escapes escape characters, so running curl -s | cat -v will allow you to see the script without it messing up your terminal.

Be wary of anything printing raw output to your terminal. You can use less to view files without being affected by ASCII escape codes.

Read More

We were inspired by this blog post to make a proof of concept about how ANSI escape can be harmful.

Blog Post by InfosecMatter

Jimmy's Github

Joe's website