EmbedThis GoAhead Web Server CGI RCE
EmbedThis GoAhead is a popular compact web server intended and optimized for embedded devices. Despite its small size, the server supports HTTP/1.1, CGI handler among others.
An unrestricted file upload vulnerability has been reported in EmbedThis GoAhead Web Server. The vulnerability is due to improper validation of user form variables passed to the file upload filter.
A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could lead to arbitrary code execution under the security context of the server process.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-42342.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
A remote code execution vulnerability exists in EmbedThis GoAhead. Variables supplied through the multipart/form-data content processing are added using websSetVar(), which does not prefix the variable name or set the arg value. Other areas of code use a wrapper function, addFormVars(), for this purpose. The function cgiHandler() attempts to blacklist certain variable names, but uses the strim() function with a null value for the set parameter, returning a null value and preventing any of the values included in the blacklist from matching. Without the arg value set, the variables are used as environment variables verbatim in the spawned process. This vulnerability is due to an incomplete fix for CVE-2017-17562.
Exploitation of this vulnerability does not misuse the interface, which makes detecting illegitimate variables not possible. However, the CVE was opened for the specific exploitation path of using the LD_PRELOAD environment variable to point to a supplied shared object ELF file to run arbitrary code stored in the .init section. This can either send the data after the multipart/form-data content and use the CGI standard input file from the proc directory or the dev directory, or by uploading the file in a multipart/form-data payload and using the temporary filename. Other “LD_” prefixed environment variables may also be used to affect CGI behaviour.
Triggering the Problem:
• The target must have a vulnerable version of the product installed and running.
• The target product must have been compiled with the ME_GOAHEAD_UPLOAD and ME_GOAHEAD_CGI flags.
• The target path must be configured to handle CGI requests.
• The target must support loading ELF shared objects.
• The target loader must honor the LD_PRELOAD environment variable.
• The attacker must have network connectivity to the vulnerable application.
The attacker sends a crafted HTTP POST request to the target server. The body contains the LD_PRELOAD variable and an embedded ELF shared object. The vulnerability is triggered when the target server processes the request.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 6178 EmbedThis GoAhead File Upload Filter Remote Code Execution
The risks posed by this vulnerability can be mitigated or eliminated by:
• Applying the vendor-supplied patch to eliminate this vulnerability.
• Filtering attack traffic using the signature above.
• Compiling the software with either the ME_GOAHEAD_UPLOAD or ME_GOAHEAD_CGI flags disabled.
• Remove all CGI binaries.
The vendor has released the following advisory regarding this vulnerability: