cbcvebase.
CVE-2017-17562
published 2017-12-12

CVE-2017-17562: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the…

PriorityP191high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
96.33%
99.9th percentile
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.

Affected

3 ranges
VendorProductVersion rangeFixed in
embedthisgoahead< 3.6.53.6.5
oracleintegrated_lights_out_manager
oracleintegrated_lights_out_manager

Detection & IOCsextracted from sources · hover to see the quote

path/proc/self/fd/0
path/cgi-bin/
  • Alert on HTTP requests to GoAhead servers where the query string contains environment variable injection patterns such as 'LD_PRELOAD', 'LD_DEBUG', or 'LIBMYSQL_PLUGINS' referencing /proc/self/fd paths.
  • The Metasploit module brute-forces a large list of known GoAhead CGI endpoint names; monitor for rapid sequential GET/POST requests across these paths from a single source IP.
  • ·Vulnerability only exploitable when CGI is enabled AND the CGI program is dynamically linked; statically linked CGI programs are not affected.
  • ·Exploitation requires the glibc dynamic linker to be present; the attack abuses glibc's LD_PRELOAD mechanism to load an attacker-supplied shared object.
  • ·The Metasploit module POST size is limited to 16384 bytes maximum; PowerPC architecture payloads exceed this limit and are not supported.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.