PT-2026-25520 · Crates.Io · Zeptoclaw
Publicado
2026-03-05
·
Atualizado
2026-03-05
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Summary
zeptoclaw implements a blocklist to prevent dangerous commands running in android device shell, but this blocklist has several blocked commands with argements in the pattern literal, such as
rm -f and rm -rf, this can be simply bypassed by using different orders for these arguments, such as rm -r -f or rm -fr etc.Details
As in code src/tools/android/actions.rs#L413-L424, we can see the
rm -f and rm -rf are hard coded and thus can be simply bypassed via rm -r -f or rm -fr etc.rust
pub async fn device shell(adb: &AdbExecutor, cmd: &str) -> Result<String> {
// Normalize whitespace for blocklist check
let normalized: String = cmd.split whitespace().collect::<Vec< >>().join(" ");
let lower = normalized.to lowercase();
let blocked = [
"rm -rf",
"rm -r",
"reboot",
"factory reset",
"wipe",
"format",
"dd if=",
"mkfs",
"flash",
"fastboot",
];
for pattern in &blocked {
if lower.contains(pattern) {
return Err(ZeptoError::Tool(format!(
"Blocked dangerous command containing '{}'",
pattern
)));
}
}PoC
Set up zeptoclaw with an Android tool and then run the command
rm -f -r etc.Impact
Unauthorized command executed in Android device.
Credit
Correção
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zeptoclaw