Crypto and Security Brain Teaser

Assuming this code works, what is wrong with the functionality from a security and crypto perspective?


#!/usr/bin/env ruby
# This program encrypts and decrypts messages at the command line.
# It runs setuid root, so that it can be used by users without giving
# them access to the (root-owned) secret encryption key.

require ‘openssl’

SECRET_KEY=”/etc/secrypt.key”
OUTPUT_FILE=”/tmp/secrypt.out”

cipher = OpenSSL::Cipher::Cipher.new(‘aes-256-ecb’)

case ARGV.shift
when ‘encrypt’
  cipher.encrypt
when ‘decrypt’
  cipher.decrypt
else
  puts “Usage: $0 [encrypt|decrypt] ”
  exit 1
end

cipher.key=(File.read(SECRET_KEY))
input = File.open(ARGV.shift)
output = File.open(OUTPUT_FILE, “w”)

input.each_line do |l|
  output.write(cipher << l)
end


Here are a few hints…
I found 4 crypto related problems and one security/privilege escalation issue.