CVE-2021-41773 – Apache web server path traversal

Last Monday, October 4, Apache disclosed a vulnerability introduced in Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the same time, update 2.4.50 was released, fixing this vulnerability. The vulnerability allows an attacker to bypass path traversal protections, using encryption, and read arbitrary files on the web server’s file system. Linux and Windows servers running this version of Apache are affected.

This vulnerability was introduced on 2.4.49, on a patch that aimed to improve performance in URL validation. The new validation method could be bypassed by encoding the ‘.’ personage. If the Apache web server configuration is not set to “Require all disabled”, exploitation is relatively trivial. By encoding these characters and modifying a URL with the payload, classic path traversal is possible.

Due to the simple exploitation of this vulnerability, several public proof-of-concept scripts are already available on the Internet. A simple demonstration can also be done using curl, as the attacker only needs to traverse enough directories to access the root of the server with a slight modification that disrupts URL normalization.

It is also possible to perform remote code execution if mod_cgi is enabled using a URL prefixed with /cgi-bin/, which is a feature not used in modern web technologies. However, many older web deployments still depend on it to work.

This vulnerability has been confirmed to have been exploited in the wild prior to the release of patch 2.4.50, making this vulnerability a 0day. Our research has detected that several users on dark web forums are already actively researching this vulnerability, trying to exploit it on public servers.

The first image shows an attacker describing how to exploit the vulnerability, along with advice on how to mitigate it. In the second image, another attacker has successfully exploited the vulnerability to obtain a list of users on the machine and is requesting assistance in exploiting it to gain a foothold on the machine:

1. Vulnerability advice by a user in an underground forum

2. The attacker asks for help to leverage the vulnerability to gain a foothold

The vulnerable version was released on September 15, 2021, but fortunately it had not yet been included in the main Linux distribution repositories (Ubuntu, for example, is still at 2.4.41). According to Shodan, there are 112,000 active deployments of the affected version on the public internet, compared to 1,719,000 total active Apache installations.

3. Shodan Results for Apache Servers Running Vulnerable Version Compared to Other Versions

The recommended mitigation, in this case, is to update as soon as possible to version 2.4.50, which is already available for download on the Apache website. Blueliv does not recommend trying to mitigate the vulnerability using access control because even if properly set, an attacker could still exploit the vulnerability to obtain source code for any CGI script.

The post CVE-2021-41773 – Apache Web Server Path Traversal appeared first on Blueliv.

*** This is a syndicated blog from Blueliv’s Security Bloggers Network written by Roman Tauler. Read the original post at: