This past Monday, October 4th, Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the same time, update 2.4.50 was released, fixing this vulnerability. The vulnerability allows an attacker to bypass Path traversal protections, using encoding, and read arbitrary files on the webserver’s file system. Both Linux and Windows servers running this version of Apache are affected.

This vulnerability was introduced on 2.4.49, on a patch that aimed to improve performance in the validation of the URL. The new validation method could be bypassed by encoding the ‘.’ character. If the Apache webserver configuration is not set to “Require all denied”, the exploitation is relatively trivial. By encoding these characters and modifying an URL with the payload, a classic path traversal is possible.

Due to the simple exploitation of this vulnerability there are already several public Proof of Concept scripts available on the internet. A simple demo can also be made using curl, as the attacker needs only to go back through enough directories to access the root of the server with a slight modification that disrupts the normalization of the URL.

It is also possible to perform Remote Code Execution if mod_cgi is enabled by using a URL prefixed by /cgi-bin/, which is a functionality not used in modern web technologies. However, many older web deployments still rely on it to function.

 

Exploitation in the wild and version popularity

It has been confirmed that this vulnerability has been exploited in the wild before the release of patch 2.4.50, making this vulnerability a 0day. Our research has detected that several users on dark web forums are already actively researching this vulnerability, trying to exploit it on public servers.

The first image shows an attacker describing how to exploit the vulnerability, along with advice on how to mitigate it. In the second image, a different attacker has successfully exploited the vulnerability to obtain a list of users on the machine and is requesting help leveraging it to gain a foothold on the machine:

1. Vulnerability advice by a user in an underground forum

 

2. Attacker requesting help in leveraging the vulnerability to gain a foothold

 

The vulnerable version was released on September 15th 2021, but luckily it had not yet been included in any major Linux distribution repositories (Ubuntu, for example, is still at 2.4.41). According to Shodan, 112,000 active deployments of the affected version are on the public internet, compared to the 1,719,000 total active Apache installations.

3. Shodan findings for Apache servers running vulnerable version versus other versions

 

Mitigation

The recommended mitigation, in this case, is to update as soon as possible to version 2.4.50, already available for download on the Apache website. Blueliv does not recommend trying to mitigate the vulnerability by using access control because even if set correctly, an attacker could still exploit the vulnerability to obtain the source code of any CGI script.

The post CVE-2021-41773 – Apache web server Path traversal appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Roman Tauler. Read the original post at: https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/cve-2021-41773-apache-web-server-path-traversal/