Command Injection in sofianehamlaoui/lockdoor-framework


Reported on

May 3rd 2021

✍️ Description

Command injection occurs due to lack of sanitization of input passed to the os.system() command usage in the package. as the package runs only as root every command processed inside the package system command will be running with root privileges , so every command passed via simple bash escapes at the input side will be running with higher priorities.

🕵️‍♂️ Proof of Concept

💥 Impact

privilege escalation Command Injection

to join this conversation