bird-lg-go Argument Injection Vulnerability in Traceroute Module Leading to Denial-of-Service

A vulnerability allowing argument injection has been identified in the bird-lg-go project, prior to commit 6187a4e. The issue arises in the traceroute module, which improperly parses user input using shlex.Split without validation. This flaw enables remote attackers to inject arbitrary flags, such as -w and -q, through the q parameter. Exploitation of this vulnerability can lead to a denial-of-service condition by exhausting system resources.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by depleting system resources, such as process IDs or memory.

Reproduction

To reproduce this vulnerability, send a request to the traceroute module with the q parameter containing a crafted payload. The payload can include injected flags like -w (to specify a wait time) and -q (to indicate the number of probes), along with a target IP address. For example, a payload could be '192.0.2.1 -w 60 -q 10', which, when URL-encoded, becomes '192.0.2.1%20-w%2060%20-q%2010'. This injection bypasses the default settings and can be used to manipulate the traceroute command's behavior, potentially leading to resource exhaustion on the server.

Remediation

Users are advised to update to the latest version of bird-lg-go, where this vulnerability has been addressed.