Path Traversal or Remote Code Execution in Apache 2.4.49 and 2.4.50
This document aims at explaining some recent vulnerabilities in Apache HTTP Server that lead to attacks like Path Traversal and Remote Code Execution. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49,2.4.50.
- A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
- An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. It turns out that, if CGI scripts are also enabled for these aliased paths, this could lead to RCE attacks.
Apache 2.4.49 is vulnerable to Path Traversal or Remote Code Execution vulnerability due to improper user input validation and URL normalization. Remote Code Execution can be achieved if the “cgi-bin” directory is enabled with execution permission.
The patch was released to remediate Path Traversal or Remote Code Execution vulnerability but it was not properly implemented and an attacker can craft payload with an extra encoding of dot(.) which makes Apache 2.4.50 vulnerable
When an application does not have permission to travel the system level directories or files and if an attacker is able to navigate to any sensitive files like “/etc/passwd” by using “dot-dot-slash”
Remote Code Execution
When an application uses programming functions like “shell_exec()” in PHP (different functions in other languages) to perform system-level tasks and an attacker is able to execute different commands rather than application-specific.
This attack is also known as OS Command Execution
To build CVE-2021–42013 vulnerable lab:
I have tried to build with docker:
docker run –rm –name=cve-2021–42013 -d scarfaced/vuln:cve-2021–42013
These commands used to find the IP of the vulnerable lab:
docker exec -it cve-2021–42013 cat /etc/hosts | tail -n1
Create a new file named cve-2021–42013.sh on the attacker machine with the following
Set the cve-2021–42013.sh file as executable and run it by executing the following
To test for and confirm path traversal, a valid directory needs to be discovered which in this case is configured as /icons. So, I have used the command to trigger path traversal vulnerability and print the contents of /etc/passwd:
./cve-2021–42013.sh 172.17.0.2/icons /etc/passwd
To test for and confirm remote code execution, CGI should be configured and enabled which in this case is true. So, I have used this command.
./cve-2021–42013.sh 172.17.0.2 /bin/sh id
Remote code execution is critical to get access to an
interactive shell. So, executing the following command would trigger a conventional reverse shell over tcp based on bash to attacker’s system on port 80/tcp:
To defend against possible attacks due to these vulnerabilities, Apache HTTP Server needs to be updated to the most stable version 2.4.51.
Path traversal vulnerability leads to remote code execution if “cgi-bin” is enabled in the Apache server. This type of vulnerability can cause a serious impact on business. As per censys and shodan, thousands of servers are vulnerable to this attack.