GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear

Web server misconfiguration lets anyone inject nasties... under certain conditions

By Shaun Nichols in San Francisco

Posted in Internet of Things, 20th December 2017 08:02 GMT

Researchers have uncovered a vulnerability in the GoAhead web server software – embedded in Internet of Things devices – that can be potentially remotely exploited to hijack gadgets.

The flaw, designated CVE-2017-17562, allows an attacker to inject evil code to vulnerable devices and take control of the hardware and spy on owners.

The affected software may be found in Linux-powered internet-reachable routers, home security webcams, and all sort of other network-connected stuff, providing a web-based user interface to users. GoAhead's maker EmbedThis said its code is "the world’s most popular, tiny embedded web server."

The problem stems from the way GoAhead pre-version 3.6.5 handles requests from browsers to CGI programs that generate dynamic webpages. It is possible to set arbitrary environment variables for the CGI program process from the HTTP request. Exploiting this to point LD_PRELOAD to /proc/self/fd/0 allows the attacker to load malicious code included in the HTTP request into the CGI program, and therefore hijack it.

This requires the CGI program to be dynamically linkable; it's fair to say quite a few embedded devices use statically linked binaries, so the above attack won't work against them.

"The vulnerability is a result of initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all users who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD," explained researcher Daniel Hodson of Australian security house elttam, who found the and reported the bug.

EmbedThis told The Register that the impact of the flaw should be limited to devices and servers that have CGI-based executables, and that estimates placing the number of vulnerable internet-facing devices in the hundreds of thousands are off.

"Most GoAhead customers do not use CGI as GoAhead has better, faster, smaller internal alternatives," a spokesperson told El Reg. "GoAhead users have been actively discouraged from using the slower, less secure CGI forms for at least 10 years. Most sites do not use it and are not vulnerable."

EmbedThis noted that elttam made a point of contacting the company ahead of time to ensure a fix could be released before details on the flaw were made public. Needless to say, folks who have devices that run GoAhead should update, if possible, to version 3.6.5 (or 4.0) to patch the vulnerability.

If you're using kit that uses a vulnerable version of GoAhead, and uses dynamically linked CGI programs, then you'll need to install the fix by hand or pester the machine's manufacturer for a firmware update.

Perhaps not that many devices or servers will be affected – we'll find out soon enough, though. Proof-of-concept exploit code is now available. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Astroboffins discover the stink of eggy farts wafting from Uranus

Space, the rhinal frontier. These are the voyages of the Starship Trivialize...

Hate to break it to you, but billions of people can see Uranus tonight

Some may even glimpse the ring

Violent moon mishap will tear Uranus a new ring or two

Astroboffins predict cosmic collision for ice giant

Uh oh, scientists know how those diamonds got in Uranus, and they're telling everyone!

Stanford researchers figure out how icy outer planets make it rain gemstones

Google's PHP API client has XSS vulnerability

Patch promised

Probe boffins: Two balls deep in Uranus's ring

Voyager data raises possibility of pair of new moons

No way to sugarcoat this: I'm afraid Uranus opens and closes to accept particle streams

It's official. Uranus clenches after taking in hot beams

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

O Christmas wreath, O Christmas wreath, thy potent skunk's in bunches

Ding bong merrily you're high

Christmas already here for developers, says Google