A new attack vector was found against the Apache http server, which remained unpatched in the 2.4.50 update and allows access to files from areas outside the root directory of the site. In addition, researchers have found a way that, in the presence of certain non-standard settings, not only read system files, but also remotely execute their code on the server. The problem only manifests itself in releases 2.4.49 and 2.4.50, earlier versions of the vulnerability are not affected. To fix the new variant of the vulnerability , the release of Apache httpd 2.4.51 was promptly formed .
In essence, the new problem ( CVE-2021-42013 ) is completely similar to the original vulnerability (CVE-2021-41773) in 2.4.49, the only difference is in a different character encoding “..”. In particular, in the 2.4.50 release, the possibility of using the sequence “% 2e” to encode a point was blocked, but the possibility of double encoding was missed – when specifying the sequence “%% 32% 65”, the server decoded it into “% 2e”, and then into ” . “, ie characters “../” to go to the previous directory could be coded as “. %% 32% 65 /”.
As for the exploitation of a vulnerability through code execution, this is possible if you enable mod_cgi and use the base path in which the execution of CGI scripts is allowed (for example, if the ScriptAlias directive is enabled or the ExecCGI flag is specified in the Options directive). A prerequisite for a successful attack is also to explicitly provide access to directories with executable files, such as / bin, or access to the FS root “/” in the Apache settings. Since such access is usually not provided, a code execution attack is of little use to real systems.
At the same time, an attack on obtaining the contents of arbitrary system files and source texts of web scripts that are available for reading to the user under which the http server is running remains relevant. To carry out such an attack, it is enough to have a directory on the site configured using the “Alias” or “ScriptAlias” directives (DocumentRoot is not enough), such as “cgi-bin”.
An example of an exploit that allows the “id” utility to run on the server:
curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin / sh '--data' echo Content-Type: text / plain; echo; id ' uid = 1 (daemon) gid = 1 (daemon) groups = 1 (daemon)
An example of exploits that allow you to display the contents of / etc / passwd and one of the web scripts (to display the script code, the directory specified through the “Alias” directive, for which the execution of scripts is not enabled, must be specified):
curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc / passwd ' curl 'http://192.168.0.1/aliaseddir/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/usr/local /apache2/cgi-bin/test.cgi '
The problem affects mainly continuously updated distributions such as Fedora , Arch Linux and Gentoo , as well as FreeBSD ports . The packages in the stable branches of the conservative server distributions Debian , RHEL , Ubuntu and SUSE are not vulnerable. The problem does not manifest itself if directory access is explicitly denied using the ” require all denied ” setting , which is the default for root in the typical httpd configuration shipped with Debian and many other distributions.
<Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory>
Update: On October 6 and 7, Cloudflare recorded more than 300 thousand attempts to exploit the CVE-2021-41773 vulnerability per day. Most often, as a result of automated attacks, they request the contents of “/cgi-bin/.%2e/.git/config”, “/cgi-bin/.%2e/app/etc/local.xml”, “/ cgi-bin /. % 2e / app / etc / env.php “and” /cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd”.