Shell Command Injection Affecting traceroute Open this link in a new tab package, versions <=1.0.0


0.0
critical
  • Exploit Maturity

    Mature

  • Attack Complexity

    Low

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    npm:traceroute:20160311

  • published

    23 Jan 2018

  • disclosed

    9 Nov 2017

  • credit

    Dor Dali

Introduced: 9 Nov 2017

CWE-78 Open this link in a new tab

Overview

traceroute is an npm package used for listing references in a remote git repository.

Affected versions of this package are vulnerable to Arbitrary Command Injection due to the insecure use of exec. An attacker can add a newline %0a after the host addr, and inject malicious shell commands to disrupt server operation or obtain sensitive information.

PoC by Dor Dali

traceroute = require('traceroute');

host = '127.0.0.1\ntouch /tmp/malicious';

traceroute.trace(host, function (err,hops) { // the file /tmp/malicious was created console.log(hops); });

Remediation

There currently is no fixed version for traceroute. A fix is on the master branch but was not published to npm.