CVE-2018-21268

CRITICAL

traceroute < 1.0.0 - Remote Command Injection via Host Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-21268. PoCs published by dannyEndorTest.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2018-21268, demonstrating command injection via the `traceroute` package's `host` argument. The `/traceroute` endpoint passes user input directly to `traceroute.trace()` without validation, making it exploitable.

Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Exploits (1)

nomisec WORKING POC

by dannyEndorTest · poc

https://github.com/dannyEndorTest/node-vulnerable

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2018-21268, demonstrating command injection via the `traceroute` package's `host` argument. The `/traceroute` endpoint passes user input directly to `traceroute.trace()` without validation, making it exploitable.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: traceroute (npm package) version 1.0.0

No auth needed

Prerequisites: Network access to the vulnerable endpoint · Ability to send HTTP requests to `/traceroute`

MITRE ATT&CK