Command Injection in Framework APK Input File

[secretsquirrel]

Not a big deal, just if there was a malformed file name.
https://github.com/georgiaw/Smartphone-Pentest-Framework/blob/master/frameworkconsole/framework.py#L97

[georgiaw]

Well sure. In general you can do thay pretty much any place that takes
input in SPF. That's the main reason theres no web interface at the moment
that its just poc not production. If I had developers maybe that wouldn't
be the case anymore. But nice find anyhow. Please dont turn it into cve or
osvdb or anything or else I'll have to take it all down again and people
won't be able to play with it.
Georgia
On Apr 22, 2015 11:55 PM, "secret squirrel" notifications@github.com
wrote:

Not a big deal, just if there was malformed name.

https://github.com/georgiaw/Smartphone-Pentest-Framework/blob/master/frameworkconsole/framework.py#L97

[image: cmd_injection]
https://cloud.githubusercontent.com/assets/1679850/7290330/f551bc96-e94a-11e4-9379-8dfd4018648e.png

—
Reply to this email directly or view it on GitHub
#29.

[secretsquirrel]

No worries.

[georgiaw]

I'm not really planning on doing anything about this. It runs as root and is only accessible via the command line so you'd have to have a root level shell on a system in order to be running it. Thus the actual risk of the injection is negligible since you don't gain anything.