New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shared Secret Passed on Command Line Possibly Leaks to other Local Users #598
Comments
Isn't that knowledge only available AFTER the intended receiver starts receiving the file? |
It is a race condition. The command line will be visible in the process list as soon as the process is created by the kernel. The connection to the relay will not have been created yet. A local attacker that knows what to look for can try to be faster in connecting to the relay and thus "steal" the files. There is no guarantee that it works - as usual with race conditions - and there is only one shot available. It would be worse if custom password is used by the sender and is also reused, because then the obtained information will be valid for multiple transmissions. |
Mitre assigned CVE-2023-43621 to track this issue. |
Shouldn't CVE-2023-43621 cover 9.6.6 as well? |
continue discussion on #701 |
On the sender side a custom shared secret can be specified via the
croc send --code <SECRET>
command line. On the receiver side the shared secret, custom or not, is typically passed on the command line using thecroc <SECRET>
command line . The latter invocation variant is actively advocated by the output displayed on the sender side like:By passing the shared secret on the command line it will become visible on the host's process list for all local users (on Linux and most UNIX like systems). On a multi user system this might allow other local users to get knowledge of the shared secret and to receive the files instead of the intended recipient.
To fix this, the shared secret should be read from stdin, a local file or an environment variable, even though it will be less intuitive than passing it on the command line.
The text was updated successfully, but these errors were encountered: