multi/manage/sudo writes clear text password to world-readable file in /tmp/

[bcoles]

multi/manage/sudo performs automatic cleanup, but there's still a window of exposure.

In a worst case scenario, the password is present and readable for 120 seconds.

https://github.com/rapid7/metasploit-framework/blob/d52f039fa683a21ad570c3a69392f7ce20d0dcfd/modules/post/multi/manage/sudo.rb#L100

Highlighted in https://github.com/rapid7/metasploit-framework/pull/13886#issuecomment-663014165 but never addressed.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.