✍️ Description

Command injection occurs due to lack of sanitization of input passed to the os.system() command usage in the package. as the package runs only as root every command processed inside the package system command will be running with root privileges , so every command passed via simple bash escapes at the input side will be running with higher priorities.

🕵️‍♂️ Proof of Concept

https://user-images.githubusercontent.com/43377443/116853780-3e54cb80-ac14-11eb-9f11-5bebc0a8320f.mp4

💥 Impact

privilege escalation Command Injection