Summary
Package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name.
|
String cmd = "am start -D -n " + fullAppName; |
|
res = ADB.execShellCommandRaw(info.getSerial(), cmd, socket.getOutputStream(), socket.getInputStream()); |
PoC
- Create an app with package name of "com.example | svc power shutdown | echo".
- Open apk in jadx.
- Verify package name
- In the debug menu, click on "Launch App" button
- Verify that phone is shutting down
Impact
User would expect app to run with untrusted app privileges and may have set his environment accordingly. But this vulnerability allows attacker to execute command with shell privileges.
0x33c0unt Reporter
Summary
Package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name.
jadx/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java
Lines 108 to 109 in 9114821
PoC
Impact
User would expect app to run with untrusted app privileges and may have set his environment accordingly. But this vulnerability allows attacker to execute command with shell privileges.