Apache httpd RCE

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside these directories are not protected by default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was incomplete, see CVE-2021-42013.

Affected Version(s)

2.4.49
2.4.50

Fixed in Version(s)

2.4.51

Prerequisities

podman (or alias podman as docker)
python3 and pip3
colorama (python library install with pip3 install colorama)

Files

httpd.conf the Default Apache configuration (with CGI module enabled)
hello.pl an example hello-world perl CGI script running in the container(s)
main.py an example exploit python script

Reproduction

Start a vulnerable Apache httpd (with default configuration) as docker/podman container.

Dockerfile	Container	Version
Dockerfile2449	vulnapache2449	2.4.49
Dockerfile2450	vulnapache2450	2.4.50

Build both container images 1.1 chmod +x ./build.sh 1.2 ./build.sh
Start vulnerable Apache httpd Containers 2.1 chmod +x ./run.sh 2.2 ./run.sh
verify webserver is running 3.1 curl localhost:2449/cgi-bin/hello.pl 3.2 curl localhost:2450/cgi-bin/hello.pl

Container	Listen Port
vulnapache2449	2449
vulnapache2450	2450

run the exploit script 1.1 python3 main.py localhost:4249 1.2 select attack on version 2.4.49 1.3 python3 main.py localhost:2450 1.4 select attack on version 2.4.50

Explanation

The Exploit will utilize Apache httpds CGI module to allow execution of arbitrary executables through path traversal.

/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash
/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash

.%2e/ is url-encoded and equals to ../ if decoded. .%%32%658 is double url-encoded and equals also to ../ if decoded.

Credits

Exploit Author: Valentin Lobstein
Software Link: https://github.com/Balgogan/CVE-2021-41773
Lucas Schnell

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
.gitignore		.gitignore
CVE-2021-41773.odp		CVE-2021-41773.odp
CVE-2021-42013.pdf		CVE-2021-42013.pdf
Dockerfile2449		Dockerfile2449
Dockerfile2450		Dockerfile2450
build.sh		build.sh
exploitation-sample.png		exploitation-sample.png
hello.pl		hello.pl
httpd.conf		httpd.conf
main.py		main.py
readme.md		readme.md
run.sh		run.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Apache httpd RCE

Affected Version(s)

Fixed in Version(s)

Prerequisities

Files

Reproduction

Explanation

Credits

About

Releases

Packages

Languages

mightysai1997/cve-2021-41773

Folders and files

Latest commit

History

Repository files navigation

Apache httpd RCE

Affected Version(s)

Fixed in Version(s)

Prerequisities

Files

Reproduction

Explanation

Credits

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages