Remote Code Execution Vulnerability in Embedthis GoAhead Web Server
CVE-2017-17562

8.1HIGH

Key Information:

Vendor: Embedthis
Status: Goahead
Vendor: CVE Published:; 12 December 2017

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%🦅 CISA Reported

What is CVE-2017-17562?

The Embedthis GoAhead web server before version 3.6.5 is susceptible to remote code execution through improperly handled environment variables in CGI scripts. When the CGI functionality is enabled, an attacker can craft HTTP requests that exploit the way the environment is initialized for forked CGI processes. By utilizing specific parameter names linked to the glibc dynamic linker like LD_PRELOAD, an attacker can execute arbitrary code. This is achieved by sending a POST request containing a shared object payload, which can then be referenced and executed from the server's process. This vulnerability poses a significant risk to systems utilizing the affected versions of GoAhead.

CISA has reported CVE-2017-17562

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2017-17562 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2017-17562 - Proof of Concept