Share
## https://sploitus.com/exploit?id=805E6B24-8DF9-51D8-8DF6-6658161F96EA
# CVE-2021-41773

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)  

References  
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773  
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013  
https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching  
https://corelight.com/blog/tag/corelight-labs  



## Installation  
`zkg install https://github.com/corelight/CVE-2021-41773/`  

Use against a pcap you already have  
`zeek -Cr scripts/__load__.zeek your.pcap`   


## Options and notes:

- This package will run in clustered or non clustered environments.

- To assist with IR triage of PATH_TRAVERSAL_IS_VULNERABLE notices, the 'sub' field will include the following data:  
	- The first 'http_body_analysis_byte_depth' in the notice for POST requests. Set this to a high number to collect all of the payload - the default of 1000 should be high enough to capture data required for triage. To change the amount of data included: `global http_body_analysis_byte_depth: count = 1000;`   
	- HTTP SERVER header value, for confirmation of Server version.  
	- The original URI, with all encodings present (prior to any decoding). Note by default, Zeek populates http.log with the DECODED version of the URI, not the originally sent version.  


## Example Notice

```
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open XXXX-XX-XX-XX-XX-XX
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	string	string	string	double	double

XXXXXXXXXX.XXXXXX	CT7T802QofJINCquNg	127.0.0.1	44740	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	Cj7NfN13Javpjxe831	127.0.0.1	44744	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CIhB6g4tQcEI34f1Z7	127.0.0.1	44748	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CMmr2q3Fe2wlSS2iUh	127.0.0.1	44752	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/.%2e/%2e%2e/.%2e/%2e%2e/%2e%2e/.%%32%65/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-
#close XXXX-XX-XX-XX-XX-XX

```