GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear
Web server misconfiguration lets anyone inject nasties... under certain conditions
Researchers have uncovered a vulnerability in the GoAhead web server software – embedded in Internet of Things devices – that can be potentially remotely exploited to hijack gadgets.
The flaw, designated CVE-2017-17562, allows an attacker to inject evil code to vulnerable devices and take control of the hardware and spy on owners.
The affected software may be found in Linux-powered internet-reachable routers, home security webcams, and all sort of other network-connected stuff, providing a web-based user interface to users. GoAhead's maker EmbedThis said its code is "the world’s most popular, tiny embedded web server."
The problem stems from the way GoAhead pre-version 3.6.5 handles requests from browsers to CGI programs that generate dynamic webpages. It is possible to set arbitrary environment variables for the CGI program process from the HTTP request. Exploiting this to point
/proc/self/fd/0 allows the attacker to load malicious code included in the HTTP request into the CGI program, and therefore hijack it.
This requires the CGI program to be dynamically linkable; it's fair to say quite a few embedded devices use statically linked binaries, so the above attack won't work against them.
"The vulnerability is a result of initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all users who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD," explained researcher Daniel Hodson of Australian security house elttam, who found the and reported the bug.
EmbedThis told The Register that the impact of the flaw should be limited to devices and servers that have CGI-based executables, and that estimates placing the number of vulnerable internet-facing devices in the hundreds of thousands are off.
"Most GoAhead customers do not use CGI as GoAhead has better, faster, smaller internal alternatives," a spokesperson told El Reg. "GoAhead users have been actively discouraged from using the slower, less secure CGI forms for at least 10 years. Most sites do not use it and are not vulnerable."
EmbedThis noted that elttam made a point of contacting the company ahead of time to ensure a fix could be released before details on the flaw were made public. Needless to say, folks who have devices that run GoAhead should update, if possible, to version 3.6.5 (or 4.0) to patch the vulnerability.
If you're using kit that uses a vulnerable version of GoAhead, and uses dynamically linked CGI programs, then you'll need to install the fix by hand or pester the machine's manufacturer for a firmware update.
Perhaps not that many devices or servers will be affected – we'll find out soon enough, though. Proof-of-concept exploit code is now available. ®