Kuiper icon indicating copy to clipboard operation
Kuiper copied to clipboard
verified publisher icon DFIRKuiper

Raw file removal code commented in recent commit

Open meck-gd opened this issue 2 years ago • 1 comments

In commit https://github.com/DFIRKuiper/Kuiper/commit/ebbc5b74fb8ea5e2cdf91809e07d97d0ac60f426 the functionality for removing raw files from disk after extraction was commented.

Was this done on purpose? It looks like it may have been a test and you forgot to put it back before committing.

meck-gd avatar Dec 11 '23 13:12 meck-gd

By the way, the same commit adds a shell command injection with this line if you control zip_path:

       p = subprocess.Popen(" ".join(["7z", "x", zip_path, "-o" + dst_path, "-y" , ">" , "/dev/nul"]), stdout=subprocess.PIPE, shell=True)

meck-gd avatar Apr 24 '24 13:04 meck-gd

hello this commit is by mistake left after testing, Regarding the 7z, it is used to avoid using the zipfile in python since it give error sometime when decompressing zip files. I think it is issue with ZipFile in python 2.7

salehmuhaysin avatar May 13 '24 07:05 salehmuhaysin

Hi saleh, The point is that using " ".join(...) AND shell=True is highly insecure. You can just pass a list directly as first Popen parameter rather than joining a string, which will cause all arguments to be quoted properly.

subprocess.Popen(["7z", "x", zip_path, "-o", dst_path, "-y"], stdout=subprocess.PIPE)

meck-gd avatar May 13 '24 14:05 meck-gd

alot of security concerns not taken into consideration, the assumption is that kuiper is running in closed environment, if somebody want to run malicious code it is possible to upload it as new parser :)

salehmuhaysin avatar May 14 '24 15:05 salehmuhaysin