id: CVE-2017-17562 info: name: Embedthis GoAhead RCE description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. author: geeknik reference: - https://www.elttam.com/blog/goahead/ - https://github.com/ivanitlearning/CVE-2017-17562 - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562 severity: high tags: cve,cve2017,rce,embedthis,goahead,fuzz classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.10 cve-id: CVE-2017-17562 cwe-id: CWE-20 requests: - raw: - | GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1 Host: {{Hostname}} Accept: */* payloads: endpoint: - admin - apply - non-CA-rev - cgitest - checkCookie - check_user - chn/liveView - cht/liveView - cnswebserver - config - configure/set_link_neg - configure/swports_adjust - eng/liveView - firmware - getCheckCode - get_status - getmac - getparam - guest/Login - home - htmlmgr - index - index/login - jscript - kvm - liveView - login - login.asp - login/login - login/login-page - login_mgr - luci - main - main-cgi - manage/login - menu - mlogin - netbinary - nobody/Captcha - nobody/VerifyCode - normal_userLogin - otgw - page - rulectl - service - set_new_config - sl_webviewer - ssi - status - sysconf - systemutil - t/out - top - unauth - upload - variable - wanstatu - webcm - webmain - webproc - webscr - webviewLogin - webviewLogin_m64 - webviewer - welcome attack: sniper stop-at-first-match: true matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "environment variable" - "display library search paths" condition: and