CVEs, or Common Vulnerabilities and Exposures, are essential for comprehending and reducing security risks. We will discuss two significant CVEs, CVE-2021–41773 and CVE-2021–42013, both pertaining to the Apache HTTP Server, in this article. These flaws, which put web servers at serious danger, are classified as path traversal/directory traversal attacks. Let's examine the specifics.

Before diving in, let's examine how path traversal attacks work.

Path traversal, also known as directory traversal, allows attackers to access files and directories outside of the permitted scope. By manipulating file/folder names in input parameters, hackers can break out of web directories and traverse the filesystem.

For example, using sequences like "../" or encoded equivalents, attackers can reach sensitive system files like /etc/passwd. If successful, this leads to unauthorized access and total compromise.

What precisely transpired with Apache 2.4.49?

A modification was made to the Apache server's path normalization module, enabling a specially constructed URL to get past the filters and get past the document root. Use CGI to carry out RCE if it was enabled.

Let's investigate the following vulnerability to better comprehend this.

CVE-2021-41773: Opening the Barn Door

Impacting Apache HTTP Server versions 2.4.49, CVE-2021–41773 was released on October 5, 2021. By taking advantage of a weakness in path normalization, attackers can map URLs to files that are not supposed to be in the document root. These requests may be successful if the files located outside of the document root are not securely protected. Furthermore, this vulnerability may reveal the source code of files that are interpreted, like CGI scripts. It is important to note that only Apache versions 2.4.49 are impacted by this particular CVE.

None

To illustrate the attack, we'll use the TryHackMe machine.

TryHackMe | CVE-2021-41773/42013

A small explanation of an Apache path traversal bug and an incomplete fix

tryhackme.com

For example, an attacker can try the following command on Apache 2.4.49 with CGI enabled:

curl -v 'http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/
.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' 
-H "Content-Type: text/plain"

Let's breakdown what happening in this command:

  • The curl command will send an HTTP request to this URL. It seems to be attempting to access a directory containing a bash script by utilizing URL encoding (%2e stands for.), repeatedly navigating up the directory hierarchy (../), and finally gaining access to /bin/bash.
  • This "-d" flag sends data in the body of the HTTP request. In this case, it's sending a series of commands separated by semicolons (;). It first echoes Content-Type: text/plain (which might be intended to mimic a legitimate HTTP header), then echoes a newline (echo;), and finally, it attempts to read the contents of the /etc/passwd file using cat.

If the server does not have permission to execute the specified script or if the script does not exist at the specified location, the command may fail with a permission denied or file not found error.

In these circumstances, one may attempt to exploit Apache 2.4.49 without the usage of CGI by using the following techniques:

curl -v 'http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/
.%2e/etc/passwd'

When this command is executed, it will attempt to access the /etc/passwd file on the local server. It's trying to traverse up directories repeatedly using the %2e encoding.

CVE-2021–42013: No Quick Fixes in Security

The CVE-2021–42013 was released on October 7, 2021, which is just two days after the previous CVE-2021–41773.CVE-2021–42013 is an extension of CVE-2021–41773. This vulnerability affects both Apache HTTP Server versions 2.4.49 and 2.4.50. Similar to CVE-2021–41773, it exploits path traversal to map URLs to files outside the directories predefined by Alias-like directives. If files outside these directories lack the usual default configuration protection (e.g., "require all denied"), the requests can succeed. Notably, if CGI scripts are enabled for the aliased paths, remote code execution (RCE) becomes possible.

for Apache 2.4.50, the following command can be used:

curl 'http://localhost:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/
.%%32%65/.%%32%65/.%%32%65/etc/passwd'

Here, in an effort to get around the filters that filter for "../" we have twice encoded the url "." to obtain "%%32%64."

None

Conclusion:

CVE-2021–41773 and CVE-2021–42013 shed light on the critical vulnerabilities that can be exploited through path traversal attacks on Apache HTTP Server versions 2.4.49 and 2.4.50. These vulnerabilities highlight the importance of implementing proper input validation and access control mechanisms in web servers. Staying informed about CVEs and promptly patching and updating software are crucial steps in maintaining a secure online presence.

Resources: