Command Injection in thebeet/idevicekit


Reported on

May 8th 2020


Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks. There is a possible bypass of the _checkSerial function leading to malicious serial variable content injection. Then, the serial variable is concatenated inside a command executed through the exec function, leading to RCE.


to join this conversation