Emergent Tech

Internet of Things

GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear

Web server misconfiguration lets anyone inject nasties... under certain conditions

By Shaun Nichols in San Francisco


Researchers have uncovered a vulnerability in the GoAhead web server software – embedded in Internet of Things devices – that can be potentially remotely exploited to hijack gadgets.

The flaw, designated CVE-2017-17562, allows an attacker to inject evil code to vulnerable devices and take control of the hardware and spy on owners.

The affected software may be found in Linux-powered internet-reachable routers, home security webcams, and all sort of other network-connected stuff, providing a web-based user interface to users. GoAhead's maker EmbedThis said its code is "the world’s most popular, tiny embedded web server."

The problem stems from the way GoAhead pre-version 3.6.5 handles requests from browsers to CGI programs that generate dynamic webpages. It is possible to set arbitrary environment variables for the CGI program process from the HTTP request. Exploiting this to point LD_PRELOAD to /proc/self/fd/0 allows the attacker to load malicious code included in the HTTP request into the CGI program, and therefore hijack it.

This requires the CGI program to be dynamically linkable; it's fair to say quite a few embedded devices use statically linked binaries, so the above attack won't work against them.

"The vulnerability is a result of initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all users who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD," explained researcher Daniel Hodson of Australian security house elttam, who found the and reported the bug.

EmbedThis told The Register that the impact of the flaw should be limited to devices and servers that have CGI-based executables, and that estimates placing the number of vulnerable internet-facing devices in the hundreds of thousands are off.

"Most GoAhead customers do not use CGI as GoAhead has better, faster, smaller internal alternatives," a spokesperson told El Reg. "GoAhead users have been actively discouraged from using the slower, less secure CGI forms for at least 10 years. Most sites do not use it and are not vulnerable."

EmbedThis noted that elttam made a point of contacting the company ahead of time to ensure a fix could be released before details on the flaw were made public. Needless to say, folks who have devices that run GoAhead should update, if possible, to version 3.6.5 (or 4.0) to patch the vulnerability.

If you're using kit that uses a vulnerable version of GoAhead, and uses dynamically linked CGI programs, then you'll need to install the fix by hand or pester the machine's manufacturer for a firmware update.

Perhaps not that many devices or servers will be affected – we'll find out soon enough, though. Proof-of-concept exploit code is now available. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

FCC tosses aside rules, treats Google to a happy ending following request for handy tech

Comms watchdog lets Chocolate Factory power up with special waiver

On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE

Update Internet Explorer now after Google detects attacks in the wild

Google: All right, screw it, from this Christmas, Chrome will block ALL adverts on dodgy sites

Enough with the abusive ads, says ad-dependent biz

Sorry, but NASA says Mars signal wasn't Opportunity knocking

Mislabelled signal raised rover fans' hopes, just for a while

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Mozilla accuses FCC of abdicating its role, ignoring comments in net neutrality lawsuit

Legal battle #433 over Pai's push to kill off rules

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

USB gizmo biz apologies amid infosec drama

Google's PHP API client has XSS vulnerability

Patch promised

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Creepy or super creepy? That is the question Mozilla's throwing at IoT Christmas pressies

'Tis the season to be tracked by your connected water bottle