Command Injection in zamotany/logkitty


Reported on

Mar 27th 2020


The issue occurs because a user input is formatted inside a command that will be executed without any check.

Proof of Concept (Credit: Mik317)

  1. Check there aren't files called HACKED
  2. Execute the following commands in another terminal:

npm i logkitty # Install affected module

logkitty android app 'test; touch HACKED' #  Note the *touch command* is inside the *'* (single quote), so it's an argument, while it will be executed anyway

  1. Recheck the files: now HACKED has been created
to join this conversation