On 12/5/19 3:28 AM, pr...@tutanota.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I should have mentioned that this was part of a bigger script, using qvm-copy would have required me to also pass along the qube name, so I could then cd to the correct QubesIncoming directory. Keeping it simple I went with tar: Script one on the client: tar -c $@ | cat Script two on the server: cat | tar -x Thanks for the help!
It might also work without cat, tar just doesn't like to print to shells.And you'll probably want to quote your $@ --> "$@" for files with spaces and other special characters if you're running inside bash.
Can a hacker use the same script to transfer files from a victims pc remotely ? And if so, how easy is it ?This can't be used remotely, the server I mention above is another virtual machine in the same Qubes system. This is just sending files between two qubes
If tar is exploitable, then the client VM can use that exploit on the server VM above to execute code, yes. Also see [1].
For example the first script of this topic should be fairly easy to exploit.In total I'd recommend to stick with the means provided unless absolutely necessary.
[1] https://www.qubes-os.org/doc/qrexec/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b002992a-0120-ffc5-ac40-92ea81da3aa9%40hackingthe.net.
smime.p7s
Description: S/MIME Cryptographic Signature
