{"id":7642,"date":"2018-01-05T01:51:35","date_gmt":"2018-01-05T01:51:35","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=1076"},"modified":"2025-07-09T07:15:10","modified_gmt":"2025-07-09T07:15:10","slug":"technical-analysis-and-recommended-solution-of-goahead-httpd-2-5-to-3-5-ld_preload-remote-code-execution-vulnerability-cve-2017-17562","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/technical-analysis-and-recommended-solution-of-goahead-httpd-2-5-to-3-5-ld_preload-remote-code-execution-vulnerability-cve-2017-17562\/","title":{"rendered":"Technical Analysis and Recommended Solution of GoAhead httpd\/2.5 to 3.5 LD_PRELOAD Remote Code Execution Vulnerability (CVE-2017-17562)"},"content":{"rendered":"

\"\"<\/a><\/p>\n

A remote RCE vulnerability (CVE-2017-17562) was found in all GoAhead Web Server\u2019s versions earlier than 3.6.5. The vulnerability is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all users who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD.<\/p>\n

Reference links:<\/p>\n

https:\/\/www.elttam.com.au\/blog\/goahead\/<\/a><\/p>\n

https:\/\/github.com\/embedthis\/goahead\/issues\/249<\/a><\/p>\n

Affected Versions<\/h2>\n

\uf06c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 GoAhead Web Server Version < 3.6.5<\/p>\n

Unaffected Versions<\/strong><\/h2>\n

\uf06c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0GoAhead Web Server Version >= 3.6.5<\/p>\n

Solutions<\/h2>\n

Users\u2019 Self-Inspection<\/strong><\/h3>\n

This vulnerability has impact on users who have enabled dynamically linked executables on Linux server. Besides, users should check their GoAhead Web Server version to see if it is affected. If it\u2019s earlier than version 3.6.5, risk exists.<\/p>\n

The following commands can be used to check the version:<\/p>\n\n\n\n
.\/goahead –version<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/a><\/p>\n

Patches from Vendor<\/strong><\/h3>\n

The vendor has released patches to fix this issue in its new version. Users are advised to upgrade immediately by saving and applying auth.txt and route.txt files to the new version.<\/p>\n

Reference links:<\/p>\n

https:\/\/embedthis.com\/goahead\/download.html<\/a><\/p>\n

https:\/\/embedthis.com\/goahead\/doc\/start\/installing.html<\/a><\/p>\n

Recommended Solution from NSFOCUS<\/strong><\/h3>\n

Using NSFOCUS detection products and service<\/p>\n

    \n
  1. Use NSFOCUS Cloud to get quick online detection for public assets, available at the following link: https:\/\/cloud.nsfocus.com\/#\/krosa\/views\/initcdr\/productandservice?page_id=12<\/a><\/li>\n
  2. Use NSFOCUS Intrusion Detection System (IDS) to detect intranet assets. Find the latest patch at the following link and carry out the detection. http:\/\/update.nsfocus.com\/update\/listIds<\/a><\/li>\n<\/ol>\n

    Using NSFOCUS prevention products<\/p>\n