Shulou(Shulou.com)06/01 Report--

How to carry out GoAead RCE early warning analysis, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Background introduction of 0x00

On December 12, MITRE disclosed a vulnerability in GoAhead, numbered CVE-2017-17562, that affected GoAhead, which could pose a risk of remote code execution if CGI dynamic linking was enabled. GoAhead is widely used in embedded devices. After 360CERT evaluation, it is confirmed that the vulnerability is high risk, and users are advised to fix it as soon as possible.

Technical details of 0x01

Locate the vulnerability location: cgi.c:cgiHandler (), where envp allocates an array and is populated by key-value pairs in the HTTP request parameters, which only filters REMOTE_HOST and HTTP_AUTHORIZATION, causing attackers to exploit any environment variables of other cgi processes.

After the envp is populated, it will be called through launchCgi to start the cgi process.

0x02 vulnerability verification

As mentioned above, because the filtering is not perfect, malicious envp is passed into launchCgi for execution, and we need to know cgiPath (our payload path). This is not a big problem, the Linux procfs file system, you can use LD_PRELOAD=/proc/self/fd/0 to reference stdin, which will point to the temporary file we wrote. You can join LD_PRELOAD=/proc/self/fd/0 when you request a HTTP.

0x03 scope of influence

According to the evaluation of 360CERT's QUAKE network-wide asset retrieval system, millions of devices in the network are running GoAhead services. Considering the lag of embedded device updates, a wide range of devices are affected by this vulnerability.

0x04 patching recommendation

360CERT recommends that users of GoAhead products check the current application version and, if it is a vulnerable version, update the relevant patches as soon as possible.

After reading the above, have you mastered the method of how to carry out GoAead RCE early warning analysis? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.