A remote RCE vulnerability (CVE-2017-17562) was found in all GoAhead Web Server’s versions earlier than 3.6.5. The vulnerability is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all users who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD.
GoAhead Web Server Version < 3.6.5
GoAhead Web Server Version >= 3.6.5
This vulnerability has impact on users who have enabled dynamically linked executables on Linux server. Besides, users should check their GoAhead Web Server version to see if it is affected. If it’s earlier than version 3.6.5, risk exists.
The following commands can be used to check the version:
Patches from Vendor
The vendor has released patches to fix this issue in its new version. Users are advised to upgrade immediately by saving and applying auth.txt and route.txt files to the new version.
Recommended Solution from NSFOCUS
Using NSFOCUS detection products and service
- Use NSFOCUS Cloud to get quick online detection for public assets, available at the following link: https://cloud.nsfocus.com/#/krosa/views/initcdr/productandservice?page_id=12
- Use NSFOCUS Intrusion Detection System (IDS) to detect intranet assets. Find the latest patch at the following link and carry out the detection. http://update.nsfocus.com/update/listIds
Using NSFOCUS prevention products
- Intrusion prevention system (IPS)
- Next-generation Firewall (NF)
- Web Application Firewall (WAF)
Please update to the latest version for immediate protection.
GoAhead CGI process cannot filter parameters correctly when handling HTTP requests. It can be employed to inject variable LD_PRELOAD and bring RCE risk.
Function cgihandler of goahead/src/cgi.c is used to handle HTTP requests:
It references key-values from HTTP request parameters and uses them in envp groups as environment variables to pass on to function launchCgi for CGI execution.
Function launchCgi executes the mentioned-above environment variables as environment variables of CGI through execve.
On Linux system it is possible to use LD_PRELOAD environment variables to hook and hijack function execution flows, just as we’ve known.
We can see that only REMOTE_HOST and HTTP_AUTHORIZATION were filtered in the function.
The parameters in HTTP requests are directly assigned to envp groups by “envp[n++] = sfmt(“%s=%s”, s->name.value.string, s->content.value.string);”, and then the envp groups are used as environment variables in CGI process.
That means a malicious HTTP request will make CGI execute designated shared object files.
The vendor fixed this issue in June 2017 as shown on its official website.
HTTP parameter filtering commands have been added in the patch to prevent unintended parameters from going into environment variables.
In addition to “LD_” variables, characters like CDPATH and IFS are also in the filtering list.