CVE-2021-41773 – Traversing the path of the Apache web server


On Monday, October 4, Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the same time, update 2.4.50 was released, correcting this vulnerability. The vulnerability allows an attacker to bypass path traversal protections, using encoding, and read arbitrary files on the web server’s file system. Linux and Windows servers running this version of Apache are affected.

This vulnerability was introduced on 2.4.49, on a patch that was intended to improve performance in URL validation. The new validation method could be circumvented by encoding the ‘.’ character. If the configuration of the Apache web server is not set to “Require all denied”, the exploitation is relatively trivial. By encoding these characters and modifying a URL with the payload, a classic path traversal is possible.

Due to the simple exploitation of this vulnerability, several public proof of concept scripts are already available on the Internet. A simple demo can also be done using curl, as the attacker only has to go up through enough directories to get to the root of the server with a slight change that disrupts the normalization of the URL.

It is also possible to perform remote code execution if mod_cgi is enabled using a URL prefixed with / cgi-bin /, which is a feature not used in modern web technologies. However, many older web deployments still depend on it to function.

This vulnerability has been confirmed to have been exploited in the wild prior to the release of patch 2.4.50, making this vulnerability a 0day. Our research has detected that several users on dark web forums are already actively searching for this vulnerability, attempting to exploit it on public servers.

The first image shows an attacker describing how to exploit the vulnerability, along with tips on how to mitigate it. In the second image, another attacker successfully exploited the vulnerability to get a list of users on the machine and requests help to exploit it to gain a foothold on the machine:

1. Vulnerability hints by a user in an underground forum

2. The attacker asks for help to take advantage of the vulnerability to gain a foothold

The vulnerable version was released on September 15, 2021, but luckily it had not yet been included in major Linux distribution repositories (Ubuntu, for example, is still at 2.4.41). According to Shodan, 112,000 active deployments of the affected version are on the public Internet, compared to 1,719,000 active Apache installations in total.

3. Shodan results for Apache servers running a vulnerable version compared to other versions

The recommended mitigation, in this case, is to update as soon as possible to version 2.4.50, which is already available for download from the Apache website. Blueliv does not recommend trying to mitigate the vulnerability by using access control because even if properly set, an attacker could still exploit the vulnerability to obtain the source code of any CGI script.

The post office CVE-2021-41773 – Traversing the path of the Apache web server appeared first on Blueliv.

*** This is a Syndicated Security Bloggers Network blog by Blueliv written by Roman Tauler. Read the original post on:

Leave A Reply

Your email address will not be published.