CVE-2021-42013 PoC — Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

Source

Associated Vulnerability

Description

A comprehensive Python-based vulnerability scanner for detecting CVE-2021-41773 and CVE-2021-42013 path traversal and remote code execution vulnerabilities in Apache HTTP Server versions 2.4.49 and 2.4.50.

Readme

# CVE-2021-41773 / CVE-2021-42013 Apache Vulnerability Scanner

A comprehensive Python-based vulnerability scanner for detecting **CVE-2021-41773** and **CVE-2021-42013** path traversal and remote code execution vulnerabilities in Apache HTTP Server versions 2.4.49 and 2.4.50.

## Overview

CVE-2021-41773 and CVE-2021-42013 are critical vulnerabilities affecting Apache HTTP Server that allow attackers to:
- **Read arbitrary files** from the server (path traversal)
- **Execute arbitrary code** on the server (remote code execution)
- **Bypass security restrictions** through improper URL normalization

These vulnerabilities gained widespread attention in October 2021 and have been actively exploited in the wild.

## Vulnerabilities Explained

### CVE-2021-41773 (Apache 2.4.49)
- **Type**: Path Traversal + Remote Code Execution
- **CVSS Score**: 9.8 Critical
- **Affected Versions**: Apache HTTP Server 2.4.49
- **Root Cause**: Improper path normalization allowing encoded dot characters (`.%2e`) to bypass directory restrictions
- **Impact**: Read sensitive files like `/etc/passwd`, execute arbitrary commands if mod_cgi is enabled

### CVE-2021-42013 (Apache 2.4.50)
- **Type**: Path Traversal + Remote Code Execution
- **CVSS Score**: 9.8 Critical
- **Affected Versions**: Apache HTTP Server 2.4.50
- **Root Cause**: Insufficient fix for CVE-2021-41773, allows double URL encoding (`%%32%65`) bypass
- **Impact**: Same as CVE-2021-41773, affects the patched version

## Features

✅ **Dual CVE Detection**: Tests for both CVE-2021-41773 and CVE-2021-42013
✅ **Path Traversal Testing**: Multiple payload variations for file access attempts
✅ **RCE Testing**: Remote code execution verification if mod_cgi is enabled
✅ **Batch Scanning**: Scan multiple targets from a file
✅ **Color-Coded Output**: Easy-to-read formatted results
✅ **Customizable Timeout**: Adjustable request timeout for unreliable networks
✅ **User-Agent Spoofing**: Bypasses basic filtering mechanisms

## Requirements

- Python 3.6+
- `requests` library
- `colorama` library

## Installation

### Clone the Repository
```bash
https://github.com/drackyjr/CVE-2021-42013.git
cd cve-2021-41773-42013
```

### Install Dependencies
```bash
pip3 install -r requirements.txt
```

Or manually install:
```bash
pip3 install requests colorama
```

## Usage

### Single Target Scan
```bash
python3 cve_scanner.py -u http://192.168.1.100
```

### HTTPS Target
```bash
python3 cve_scanner.py -u https://target.com
```

### Custom Timeout
```bash
python3 cve_scanner.py -u http://target.com -t 15
```

### Batch Scanning
```bash
python3 cve_scanner.py -l targets.txt
```

### Help
```bash
python3 cve_scanner.py -h
```

## Command-Line Arguments

| Argument | Short | Type | Description |
|----------|-------|------|-------------|
| `--url` | `-u` | STRING | Target URL (e.g., http://example.com) |
| `--list` | `-l` | FILE | File containing list of targets (one per line) |
| `--timeout` | `-t` | INTEGER | Request timeout in seconds (default: 10) |

## Example Usage

### Single Target
```bash
python3 cve_scanner.py -u http://192.168.1.100
```

### Multiple Targets
Create `targets.txt`:
```
http://192.168.1.100
https://example.com:8080
http://10.0.0.50
https://vulnerable.server.com
```

Then run:
```bash
python3 cve_scanner.py -l targets.txt -t 15
```

### Extended Timeout for Slow Networks
```bash
python3 cve_scanner.py -u http://target.com -t 30
```

## Output

The scanner provides detailed output including:
- **Vulnerability Detection Status**: Whether each CVE is detected
- **Payload Information**: Which payload triggered the vulnerability
- **Response Data**: Sample of the server response
- **Recommendations**: Patching guidance

Example output:
```
============================================================
  CVE-2021-41773 / CVE-2021-42013 Vulnerability Scanner
============================================================

[*] Target: http://192.168.1.100

[*] Testing CVE-2021-41773 (Apache 2.4.49)...
[+] VULNERABLE to CVE-2021-41773!
[+] Payload: /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd
[+] Response:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

============================================================
  Scan Summary
============================================================
[!] Target is VULNERABLE!
[!] Immediate patching required!
[*] Recommendation: Upgrade to Apache HTTP Server 2.4.51 or later
============================================================
```

## How It Works

### CVE-2021-41773 Detection
1. Sends requests with single URL-encoded payloads (`.%2e`)
2. Targets alias directories: `/cgi-bin/`, `/icons/`, `/images/`
3. Attempts to read `/etc/passwd` and `/etc/shadow`
4. Tests command execution via POST requests

### CVE-2021-42013 Detection
1. Sends requests with double URL-encoded payloads (`%%32%65`)
2. Uses same target directories as CVE-2021-41773
3. Bypasses the insufficient patch in Apache 2.4.50
4. Verifies RCE capability if mod_cgi is enabled

### RCE Testing
- Executes `id` command to verify code execution
- Works only if mod_cgi module is enabled
- Looks for `uid=` and `gid=` in response

## Detection Indicators

The scanner looks for:
- **Successful path traversal**: Response contains `root:` or `daemon:` entries from `/etc/passwd`
- **Successful RCE**: Response contains `uid=` and `gid=` from `id` command execution
- **HTTP Status Code**: 200 OK with expected content

## Mitigation

### Immediate Actions
1. **Upgrade Apache HTTP Server** to version 2.4.51 or later
2. **Disable mod_cgi** if not required
3. **Apply strict directory restrictions**:
   ```apache
   <Directory />
       Require all denied
   </Directory>
   ```

### Configuration Hardening
```apache
# Restrict access to sensitive directories
<Directory /cgi-bin>
    Require all denied
</Directory>

# Disable symbolic links if not needed
Options -FollowSymLinks

# Enable security headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
```

### Version Check
```bash
# Check Apache version
apache2 -v
httpd -v
```

## Supported Apache Versions

| Version | Status | Action |
|---------|--------|--------|
| 2.4.49 | ❌ Vulnerable | Upgrade immediately |
| 2.4.50 | ⚠️ Partially Patched | Upgrade to 2.4.51+ |
| 2.4.51+ | ✅ Patched | No action needed |

## Disclaimer

⚠️ **IMPORTANT**: This tool is intended **ONLY** for authorized security testing and educational purposes. Unauthorized access to computer systems is **ILLEGAL** under laws like the Computer Fraud and Abuse Act (CFAA) and similar legislation worldwide.

**Authorized Use Only:**
- Penetration testing with written permission
- Security audits of your own infrastructure
- CTF competitions and training platforms (TryHackMe, HackTheBox, etc.)
- Educational and research purposes

**Misuse Warning**: Users are responsible for ensuring they have explicit authorization before testing any target. The authors assume no liability for unauthorized use.

## Use Cases

This scanner is ideal for:

### Security Professionals
- Vulnerability assessment and management
- Penetration testing engagements
- Security audits of Apache infrastructure
- Compliance verification (PCI-DSS, etc.)

### System Administrators
- Identifying vulnerable Apache instances
- Validating patch deployment
- Infrastructure security audits
- Server inventory scanning

### Cybersecurity Students
- Learning vulnerability exploitation
- Understanding path traversal attacks
- CTF challenge solving
- Security research and education

### DevOps/DevSecOps
- Infrastructure vulnerability scanning
- CI/CD pipeline security checks
- Container scanning (if running Apache)
- Pre-deployment security verification

## Files

```
.
├── cve_scanner.py          # Main scanner script
├── requirements.txt         # Python dependencies
├── README.md               # This file
├── targets.txt             # Example target list
└── LICENSE                 # License information
```

## Configuration Files

### requirements.txt
```
requests==2.28.1
colorama==0.4.5
```

### targets.txt (Example)
```
http://192.168.1.100
https://vulnerable.example.com
http://10.0.0.50:8080
```

## Troubleshooting

### Issue: Connection Timeout
**Solution**: Increase timeout with `-t` option
```bash
python3 cve_scanner.py -u http://target.com -t 30
```

### Issue: SSL Certificate Error
**Solution**: The script disables SSL verification by default. If issues persist, ensure Python certificates are updated:
```bash
pip3 install --upgrade certifi
```

### Issue: Module Not Found
**Solution**: Ensure all dependencies are installed
```bash
pip3 install -r requirements.txt
```

### Issue: Permission Denied
**Solution**: Make the script executable
```bash
chmod +x cve_scanner.py
python3 cve_scanner.py -u http://target.com
```

## Performance Tips

- **Batch Scanning**: Use `-l` with a target file for multiple scans
- **Parallel Scanning**: For large-scale scanning, run multiple instances with task splitting
- **Timeout Optimization**: Lower timeout values for fast networks, higher for slow connections
- **Target Validation**: Verify targets are reachable before batch scanning

## References

- [NVD CVE-2021-41773](https://nvd.nist.gov/vuln/detail/CVE-2021-41773)
- [NVD CVE-2021-42013](https://nvd.nist.gov/vuln/detail/CVE-2021-42013)
- [Apache HTTP Server Security Advisory](https://httpd.apache.org/security/)
- [Qualys Security Research](https://blog.qualys.com/vulnerabilities-threat-research/)
- [CISA Alert AA21-265A](https://us-cert.cisa.gov/ncas/alerts/2021/09/22/cisa-releases-alert-based-vulnerability-affecting-apache-httpd)

## Contributing

Contributions are welcome! To contribute:

1. **Fork** the repository
2. **Create** a feature branch (`git checkout -b feature/improvement`)
3. **Commit** your changes (`git commit -m 'Add improvement'`)
4. **Push** to the branch (`git push origin feature/improvement`)
5. **Submit** a Pull Request

Please ensure:
- Code follows PEP 8 standards
- Comments explain complex logic
- Payloads are tested for effectiveness
- README is updated if adding features

## License

This project is licensed under the MIT License. See the LICENSE file for details.

## Author

**Security Testing Tool**  
Created for educational and authorized security testing purposes.

For questions, issues, or suggestions, please open an issue on GitHub.

## Changelog

### Version 1.0.0 (Initial Release)
- ✅ CVE-2021-41773 detection
- ✅ CVE-2021-42013 detection
- ✅ Path traversal testing
- ✅ RCE capability verification
- ✅ Batch scanning support
- ✅ Color-coded output
- ✅ Customizable timeout

## Security Notes

- The scanner sends HTTP requests to target servers
- It does not modify any files on target systems
- SSL verification is disabled for flexibility
- User-Agent is spoofed to bypass basic filtering
- Results should be validated before taking action
- Always maintain logs of authorized testing

---

**Last Updated**: November 2025  
**Status**: Active Development  
**Tested On**: Python 3.8+, Apache 2.4.49, 2.4.50

File Snapshot

 [4.0K]  /data/pocs/a968b7130cd7bd5204ce05b7f5ad94369332d637
├── [9.7K]  CVE-2021-41773.py
└── [ 11K]  README.md

1 directory, 2 files

Remarks