Comments (3)
Isn't that knowledge only available AFTER the intended receiver starts receiving the file?
from croc.
Isn't that knowledge only available AFTER the intended receiver starts receiving the file?
It is a race condition. The command line will be visible in the process list as soon as the process is created by the kernel. The connection to the relay will not have been created yet. A local attacker that knows what to look for can try to be faster in connecting to the relay and thus "steal" the files. There is no guarantee that it works - as usual with race conditions - and there is only one shot available.
It would be worse if custom password is used by the sender and is also reused, because then the obtained information will be valid for multiple transmissions.
from croc.
Mitre assigned CVE-2023-43621 to track this issue.
from croc.
Related Issues (20)
- Use of Parts of the Shared Secret as Room Name HOT 2
- Unencrypted "ips?" Message Leaks Information from the Sender Side HOT 2
- File Chunk Algorithm Causes Files to be Needlessly Read Multiple Times on Sender Side HOT 1
- Explicit Evaluation of Wildcard Characters on the Sender Side CLI HOT 1
- Well known "pingRoom" in Relays HOT 1
- Why do you send the same file over multiple sockets? HOT 17
- "--yes" does not apply to "Resume?" HOT 1
- Receiving an empty folder throws Exception HOT 3
- Unable to do basic file-transfer HOT 4
- How secure is croc? (resistant to brute force?) HOT 3
- Hide relay if not going to be used HOT 1
- Defining ports is a bit cumbersome HOT 2
- debian12, croc via curl and bash from getcroc schollz, single file transfer completes, but sets no rights at all HOT 2
- --remember doesn't HOT 1
- Send commands
- Pipe (stdout) mode adds newline HOT 4
- Option to skip sender pre-hashing step and receiver verify step to half total transfer time in some cases? HOT 1
- Vulnarbility?
- Incorrect Section field in debian/control files in both 32-bit and 64-bit debian packages
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from croc.