operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

Is Apache vulnerable to CVE-2021-41773?

Sends two cURL requests to the local Apache HTTP service. The first request contains a URL-encoded path which attempts to exploit CVE-2021-41773 path traversal. The next request sends a command attached to the request to exploit CVE-2021-41773 remote code execution.

2022-07-12

/static/assets/linux-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:bartimus

Is Apache vulnerable to CVE-2021-41773

Apache HTTP path traversal and remote code execution

This week, we are releasing 2 TTPs that target CVE-2021-41773:

  • Is Apache HTTP vulnerable to path traversal?
  • Is Apache HTTP vulnerable to remote code execution?

CVE-2021-41773

Is Apache HTTP vulnerable to path traversal?

CVE-2021-41773 was identified in October of 2021 after a change to the Apache HTTP (also known as httpd or apache2 depending on your operating system) codebase in release 2.4.49. This release changed the way httpd dealt with path normalization, which allowed encoded characters to bypass URL validation. This allowed read access to files that were not protected by httpd’s “require all denied” directive.

Is Apache HTTP vulnerable to remote code execution?

Included in the CVE discovery was that if httpd’s module ‘mod_cgi’ was loaded, the encoded character bypass could result in remote code execution. This was achieved by attaching a command to the request while passing the URL-encoded path to a shell binary (/bin/sh).

Testing

To test if you are vulnerable, this chain should be executed on the host that is running httpd or apache2. The first TTP will send a crafted cURL request that triggers the path traversal, while the other TTP will send a cURL request that triggers the remote code execution. The responses of these requests are verified to match the same file path or command output on the local box.

Remediation

If your system is vulnerable, the following information can help mitigate or remediate the findings:

  • Upgrade Apache to a version above 2.4.50 (2.4.50 attempted to fix this issue but failed to fully fix some edge cases as mentioned in CVE-2021-42013)
  • Ensure Apache configuration has the “require all denied” directive Additional remediation information can be found on Apache’s official website.

Check it out on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Is Apache HTTP vulnerable to path traversal?
Is Apache HTTP vulnerable to remote code execution?

Tactics

Other chains in this theme
Is my host protected against CVE-2019-14287?

2023-02-21

/static/assets/terminal-logo.svg
A TTP that exploits CVE-2019-14287 on Linux and MacOS machines
Is CVE-2022-36804 patched on Atlassian Bitbucket Server?

2022-11-22

/static/assets/terminal-logo.svg
A TTP that exploits CVE-2022-36804 in Atlassian Bitbucket Server.
Is CVE-2022-35914 patched on this host?

2022-10-18

/static/assets/linux-logo.svg
A TTP that exploits CVE-2022-35914 in GLPI HTMLAWED
Is Atlassian Bitbucket Server or Data Center patched against CVE-2022-36804?

2022-10-10

/static/assets/linux-logo.svg
Atlassian Bitbucker Server and Data Center code injection vulnerability
Is Spring Cloud Gateway patched against CVE-2022-22947?

2022-08-09

/static/assets/linux-logo.svg
Sends a crafted curl request to execute code via Spring Cloud Gateway.
Is CVE-2021-26084 patched on Confluence?

2022-08-02

/static/assets/linux-logo.svg
A TTP that exploits CVE-2021-26084 in Confluence Server
Is CVE-2022-22965 patched on Spring Framework?

2022-07-26

/static/assets/linux-logo.svg
A TTP that exploits CVE-2022-22965 in Spring Framework
Is CVE-2022-26134 patched on Confluence?

2022-07-19

/static/assets/linux-logo.svg
A TTP that exploits CVE-2022-26134 in Confluence Server
Is your machine vulnerable to ShellShock?

2022-07-05

/static/assets/linux-logo.svg
A TTP that exploits ShellShock vulnerability in Bash
About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.