In this blog post, Udit Bhadauria discussed about the latest Apache Server vulnerability. This blog post describes the vulnerability details, minimum requirements, affected versions, vulnerability detection, chaining vulnerability with Remote Code Execution and recommendation. Let’s dive into each sections:
Path Traversal is a very common security vulnerability that arises due to improper normalization and improper data validation of pathname. Path Traversal is a low complexity vulnerability that results in unauthenticated access to a restricted directory or a file. Path Traversal vulnerability is also known as:
In this type of attack, the attacker tries to traverse the system files using the sequence of payload “../” in the input. Sometimes, Path Traversal vulnerability can also be chained with other security vulnerabilities for creating more impact including but not limited to Local File Inclusion (LFI) and in certain scenario this can also lead to Remote Code Execution (RCE).
Due to the presence of Web Application Firewall (WAF), this type of attack needs some sort of encoding for successful execution. The most widely used and preferred encoding for this type of attack is URL encoding. However, different types of encoding schemes can be used depending upon how the application handles the user input and how the firewall is configured.
CVE-2021-41773 and CVE-2021-42013 have been identified in the Apache versions 2.4.49 and 2.4.50 respectively in October 2021. These Path Traversal vulnerabilities exist due to improper handling and misconfiguration within the path normalization in Apache 2.4.49 and Apache 2.4.50.
The researcher discovered that Apache 2.4.49 was vulnerable to Path Traversal using the “/.%2e/” bypass, as a result of which the Apache software foundation fixed it and released the new version 2.4.50. However, the fix was incomplete and Apache 2.4.50 was also vulnerable to Path Traversal using the payload “/%%32%65%%32%65/” which was simply a double URL encoding of key characters that were used in the previous payload. This infers that the vulnerability can still be reproduced using this new bypass by providing double URL encoded payload. This misconfiguration results in accessing internal system-critical files without authentication.
The default Apache server settings are not protected by the “require all denied” configuration, therefore, resulting in unauthorized access to all system documents associated with the vulnerable server.
The most commonly used endpoints for testing the misconfigurations are:
If the response code for any of the above endpoints is 403 then the target application can be vulnerable, but it should be kept in mind that 403 does not mean that the application is certainly vulnerable as WAF can also produce a 403 response code.
On the other hand, if the response code for any of the above endpoints is 400 or 5XX then the application will be most likely not vulnerable to this misconfiguration.
Another important thing to be kept in mind while testing for this vulnerability is that the vulnerability might exist even if the application does not have the “/cgi-bin/” in its directory structure as the vulnerability can be reproduced using other available aliases (e.g. /icons/).
The application must fulfil the following requirements for Path Traversal vulnerability:
Apache has been one of the first choices that many organizations think about for hosting their applications on the internet. According to the Netcraft’s Web Server Survey, nearly 25% of the developers prefer Apache for hosting their work over the internet. This enormous presence of Apache servers over the internet makes Apache one of the prime targets for security researchers and malicious actors.
As discussed in the earlier section, all these instances are not vulnerable as there are some minimum requirements. However, at present, the number of instances running Apache 2.4.49 are enormous and thus are being scanned at a very large scale by security researchers and bug hunters.
According to Censys.io at the time of writing this blog post, there are more than 18,000 active instances of Apache 2.4.49 that are a possible target for CVE-2021-41773 and more than 9,000 active instances of Apache 2.4.50 that can be tested for CVE-2021-42013:
Performing a similar search using the shodan.io vulnerability search engine yields more than 69,000 potential targets for CVE-2021-41773 and 13,500 possible targets for CVE-2021-42013 at the time of writing this post:
Shodan – Apache 2.4.49
Shodan – Apache 2.4.50
There are several ways for detection and exploitation of this vulnerability some of which are as follows:
A Nmap script can be found at GitHub that can be used for detection of this vulnerability using the following Nmap command:
$ nmap –script http-vuln-cve2021-41773 -p
A specially crafted curl command can also be used for checking whether a single target application is vulnerable to CVE-2021-41773 and CVE-2021-42013:
$ curl –silent –path-as-is –insecure “https://vulnerable.target/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc\passwd”
$ curl –silent –path-as-is –insecure “https://vulnerable.target/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32% 65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc\passwd”
Nuclei vulnerability scanning templates are also available at GitHub Nuclei Template – CVE-2021-41773 and GitHub Nuclei Template – CVE-2021-42013 for identification and exploitation of CVE-2021-41773 and CVE-2021-42013 respectively. The nuclei templates can be used for scanning single target and mass scanning potential targets:
OWASP Nettacker is also effective in the identification of CVE-2021-41773 and CVE-2021-42013. It can be used for scanning the targets from a list, entire subnets, domains along with subdomains and IP ranges by running the following commands mentioned in the below screenshot:
Vulnerability Detection using “nettacker.py” Script
Misconfiguration of “apache2.conf” file can also lead to Remote Code Execution. If the configuration file “\etc\apache2\apache2.conf” has the configuration “Require all granted” instead of “Require all denied” and CGI scripts are also enabled for these aliased pathes, it could allow an attacker to exploit Path Traversal vulnerability and perform Remote Code Execution. The code snippets for vulnerable and safe configurations are mentioned below: