id: CVE-2017-17562 info: name: Embedthis GoAhead <3.6.5 - Remote Code Execution author: geeknik severity: high description: | description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. impact: | Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system. remediation: | Upgrade to Embedthis GoAhead version 3.6.5 or later to mitigate this vulnerability. reference: - https://www.elttam.com/blog/goahead/ - https://github.com/ivanitlearning/CVE-2017-17562 - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562 - https://github.com/embedthis/goahead/issues/249 - https://nvd.nist.gov/vuln/detail/CVE-2017-17562 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2017-17562 cwe-id: CWE-20 epss-score: 0.97436 epss-percentile: 0.9994 cpe: cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:* metadata: max-request: 65 vendor: embedthis product: goahead tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis http: - raw: - | GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1 Host: {{Hostname}} Accept: */* payloads: endpoint: - admin - apply - non-CA-rev - cgitest - checkCookie - check_user - chn/liveView - cht/liveView - cnswebserver - config - configure/set_link_neg - configure/swports_adjust - eng/liveView - firmware - getCheckCode - get_status - getmac - getparam - guest/Login - home - htmlmgr - index - index/login - jscript - kvm - liveView - login - login.asp - login/login - login/login-page - login_mgr - luci - main - main-cgi - manage/login - menu - mlogin - netbinary - nobody/Captcha - nobody/VerifyCode - normal_userLogin - otgw - page - rulectl - service - set_new_config - sl_webviewer - ssi - status - sysconf - systemutil - t/out - top - unauth - upload - variable - wanstatu - webcm - webmain - webproc - webscr - webviewLogin - webviewLogin_m64 - webviewer - welcome stop-at-first-match: true matchers-condition: and matchers: - type: word words: - "environment variable" - "display library search paths" condition: and - type: status status: - 200 # digest: 480a004530430220137571f29820e7cfeff24983e553083fbd48df32ed6c9f6be7ab7a0b2ab3dcec021f1cf2aba6f6d18369d6d6d6784a620d36863b9446b26c941818edd6a6a12322:922c64590222798bb761d5b6d8e72950