search

zach-klippenstein / adbfs

A FUSE filesystem that uses goadb to expose Android devices' filesystems.
Apache License 2.0
150 stars 12 forks source link

Arbitrary Command Injection via runCommand #44

Open zachriggle opened 7 years ago

zachriggle commented 7 years ago

It looks like the runCommand escaping is quite naive, and will pass along special characters without escaping.

As an example:

cd mount-point
echo Hello > '$(touch /data/local/tmp/hello)'
rm '$(touch /data/local/tmp/hello)'

Should propagate to the ADB protocol command:

shell:"$(touch /data/local/tmp/hello)"

Which allows arbitrary command execution.

zach-klippenstein commented 7 years ago

Nice catch! Unfortunately I don't know when I'll have time to fix this.