Local privilege escalation through temporary file

[cym13]

In engine/Logger.py line 13 we read:

if status:
    self.fd = open("/tmp/drupwn.txt", "w")

This opens the possibility for a privilege escalation as any user might create the file /tmp/drupwn.txt in advance and redirect its output through a symbolic link. Rewritting ~/.ssh/authorized_keys for example gives shell access to that user's account.

Granted most pentesters don't run security tools on shared machines, but there is no reason to leave that door open either. A securely opened and randomly named file should be used instead:

import tempfile

if status:
    self.fd = tempfile.NamedTemporaryFile(prefix="drupwn-", suffix=".txt", mode="w")

(mktemp is not secure in python, mkstemp isn't nice to work with, TemporaryFile doesn't create an actual file on linux so it's no good for logging, hence NamedTemporaryFile.)

Bonus: that also makes drupwn less platform dependent.

[immunIT]

HI @cym13,

Thanks for your input. Even if the risks involved are low, I will check this out and release a patch for the next release.

[immunIT]

Hi,

This issue has been partially fix in the release 0.9.2. However, we still use the /tmp/ folder to save the logs. Indeed, knowing where this information are stored is inescapable to retrieve them using the docker image.

Thanks again for your review.

Best,