Vulnerability Details : CVE-2017-17562
Public exploit exists!
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
Vulnerability category: Execute code
Products affected by CVE-2017-17562
- cpe:2.3:a:oracle:integrated_lights_out_manager:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:integrated_lights_out_manager:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
CVE-2017-17562 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Embedthis GoAhead Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2017-17562
Added on
2021-12-10
Action due date
2022-06-10
Exploit prediction scoring system (EPSS) score for CVE-2017-17562
94.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-17562
-
GoAhead Web Server LD_PRELOAD Arbitrary Module Load
Disclosure Date: 2017-12-18First seen: 2020-04-26exploit/linux/http/goahead_ldpreloadThis module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled. Authors: - Daniel Hodson <daniel@elttam.com.au> - h00die - hdm <x@hdm.io>
CVSS scores for CVE-2017-17562
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST | |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-04 |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST | 2024-07-24 |
References for CVE-2017-17562
-
https://www.exploit-db.com/exploits/43360/
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1040702
Solaris Multiple Flaws Let Remote and Local Users Deny Service, Remote and Local Users Access Data, Remote Authenticated Users Gain Elevated Privileges, and Remote Authenticated and Local Users ModifyBroken Link;Third Party Advisory;VDB Entry
-
https://github.com/embedthis/goahead/commit/6f786c123196eb622625a920d54048629a7caa74
DEV: add CGI prefixes · embedthis/goahead@6f786c1 · GitHubBroken Link;Patch;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Oracle Critical Patch Update - April 2018Patch;Third Party Advisory
-
https://www.elttam.com.au/blog/goahead/
elttam - Remote LD_PRELOAD ExploitationBroken Link;Exploit;Patch;Third Party Advisory
-
https://github.com/elttam/advisories/tree/master/CVE-2017-17562
advisories/CVE-2017-17562 at master · elttam/advisories · GitHubBroken Link;Third Party Advisory
-
https://github.com/embedthis/goahead/issues/249
CGI environment variables need a prefix · Issue #249 · embedthis/goahead · GitHubBroken Link;Issue Tracking;Third Party Advisory
-
https://www.exploit-db.com/exploits/43877/
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)Exploit;Third Party Advisory;VDB Entry
Jump to