Security News

EmbedThis GoAhead Web Server CGI RCE

By

Overview:

  EmbedThis GoAhead is a popular compact web server intended and optimized for embedded devices. Despite its small size, the server supports HTTP/1.1, CGI handler among others.

  An unrestricted file upload vulnerability has been reported in EmbedThis GoAhead Web Server. The vulnerability is due to improper validation of user form variables passed to the file upload filter.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could lead to arbitrary code execution under the security context of the server process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-42342.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A remote code execution vulnerability exists in EmbedThis GoAhead. Variables supplied through the multipart/form-data content processing are added using websSetVar(), which does not prefix the variable name or set the arg value. Other areas of code use a wrapper function, addFormVars(), for this purpose. The function cgiHandler() attempts to blacklist certain variable names, but uses the strim() function with a null value for the set parameter, returning a null value and preventing any of the values included in the blacklist from matching. Without the arg value set, the variables are used as environment variables verbatim in the spawned process. This vulnerability is due to an incomplete fix for CVE-2017-17562.

  Exploitation of this vulnerability does not misuse the interface, which makes detecting illegitimate variables not possible. However, the CVE was opened for the specific exploitation path of using the LD_PRELOAD environment variable to point to a supplied shared object ELF file to run arbitrary code stored in the .init section. This can either send the data after the multipart/form-data content and use the CGI standard input file from the proc directory or the dev directory, or by uploading the file in a multipart/form-data payload and using the temporary filename. Other “LD_” prefixed environment variables may also be used to affect CGI behaviour.

  Incomplete Fix CVE-2017-17562

Triggering the Problem:

  • The target must have a vulnerable version of the product installed and running.
  • The target product must have been compiled with the ME_GOAHEAD_UPLOAD and ME_GOAHEAD_CGI flags.
  • The target path must be configured to handle CGI requests.
  • The target must support loading ELF shared objects.
  • The target loader must honor the LD_PRELOAD environment variable.
  • The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

  The attacker sends a crafted HTTP POST request to the target server. The body contains the LD_PRELOAD variable and an embedded ELF shared object. The vulnerability is triggered when the target server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 6178 EmbedThis GoAhead File Upload Filter Remote Code Execution

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering attack traffic using the signature above.
    • Compiling the software with either the ME_GOAHEAD_UPLOAD or ME_GOAHEAD_CGI flags disabled.
    • Remove all CGI binaries.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Atlassian Confluence and Data Center OGNL Injection Vulnerability
Adobe Flash Player Buffer Overflow (May 2, 2014)
Adware campaign spreads on Android app stores ( Feb 12, 2015 )
Spammers piggybacking on the Kaseya server exploit
Apple QuickTime Movie Vulnerabilities (June 4, 2009)
New Bredolab spam campaigns (Updated - Feb 12, 2010)
Whycry Ransomware Spotted in the Wild
Protection Center - Rogue AV (June 4, 2010)