A command injection vulnerability exists in grass::Session::executeLs(), at session.cpp:306, where a user-controlled input is fed directly into a shell interpreter. The user input is the path itself, whereby the ls command is appended with the unsanitized current working directory.

To launch the exploit, we would create a directory called ;gnome-calculator or ;bash and cd into in, then call ls, to launch a calculator or a shell.

sploit_5.zip