OS command injection in iTunesRPC-Remastered

Vulnerability

Version commits from 3fa8bbf through cbcea0a of iTunesRPC-Remastered, a Discord Rich Presence for iTunes on Windows, improperly neutralize special elements used in an OS command when handling image file paths. The get function in connect_to_server.py does not sanitize the image_file parameter before using it in file operations, allowing an attacker to inject arbitrary OS commands [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted file path containing command injection payloads. The attacker must have the ability to send requests to the utility's network endpoint that processes image files. No authentication is required if the service is exposed; user interaction is not needed beyond triggering the vulnerable code path in connect_to_server.py [1][2].

Impact

Successful exploitation allows the attacker to achieve OS-level command injection, leading to arbitrary code execution on the affected system. This compromises the confidentiality, integrity, and availability of the host machine at the privilege level of the running iTunesRPC-Remastered process [1].

Mitigation

The vulnerability is fixed in commit cdcd48b, which uses werkzeug.utils.secure_filename and ast.literal_eval to sanitize the image file path [2]. Users on the affected versions (commits between 3fa8bbf and cbcea0a) should upgrade to the patched commit or later. As a workaround, users can manually modify connect_to_server.py and itunesrpc.py as described in the advisory to sanitize the image_file input [1].