Embedthis GoAhead <3.6.5 - Remote Code Execution

ID: CVE-2017-17562

Severity: high

Author: geeknik

Tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis

Description

description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.

YAML Source

id: CVE-2017-17562

info:
  name: Embedthis GoAhead <3.6.5 - Remote Code Execution
  author: geeknik
  severity: high
  description: |
    description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade to Embedthis GoAhead version 3.6.5 or later to mitigate this vulnerability.
  reference:
    - https://www.elttam.com/blog/goahead/
    - https://github.com/ivanitlearning/CVE-2017-17562
    - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
    - https://github.com/embedthis/goahead/issues/249
    - https://nvd.nist.gov/vuln/detail/CVE-2017-17562
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-17562
    cwe-id: CWE-20
    epss-score: 0.97436
    epss-percentile: 0.9994
    cpe: cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
  metadata:
    max-request: 65
    vendor: embedthis
    product: goahead
    shodan-query: cpe:"cpe:2.3:a:embedthis:goahead"
  tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis

http:
  - raw:
      - |
        GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    payloads:
      endpoint:
        - admin
        - apply
        - non-CA-rev
        - cgitest
        - checkCookie
        - check_user
        - chn/liveView
        - cht/liveView
        - cnswebserver
        - config
        - configure/set_link_neg
        - configure/swports_adjust
        - eng/liveView
        - firmware
        - getCheckCode
        - get_status
        - getmac
        - getparam
        - guest/Login
        - home
        - htmlmgr
        - index
        - index/login
        - jscript
        - kvm
        - liveView
        - login
        - login.asp
        - login/login
        - login/login-page
        - login_mgr
        - luci
        - main
        - main-cgi
        - manage/login
        - menu
        - mlogin
        - netbinary
        - nobody/Captcha
        - nobody/VerifyCode
        - normal_userLogin
        - otgw
        - page
        - rulectl
        - service
        - set_new_config
        - sl_webviewer
        - ssi
        - status
        - sysconf
        - systemutil
        - t/out
        - top
        - unauth
        - upload
        - variable
        - wanstatu
        - webcm
        - webmain
        - webproc
        - webscr
        - webviewLogin
        - webviewLogin_m64
        - webviewer
        - welcome
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "environment variable"
          - "display library search paths"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100fd44921cab9b7b411bfb1edbfd6733c99bca06b4ca5ab78a7e6aaf26b2e3413502205cfc16c23431118e415d7dabd0b73c92f51726133adcb223cbe69d16ef9707b5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-17562.yaml"

View on Github