Is Apache vulnerable to CVE-2021-41773?

Sends two cURL requests to the local Apache HTTP service. The first request contains a URL-encoded path which attempts to exploit CVE-2021-41773 path traversal. The next request sends a command attached to the request to exploit CVE-2021-41773 remote code execution.

Is Apache vulnerable to CVE-2021-41773

Apache HTTP path traversal and remote code execution

This week, we are releasing 2 TTPs that target CVE-2021-41773:

  • Is Apache HTTP vulnerable to path traversal?
  • Is Apache HTTP vulnerable to remote code execution?

CVE-2021-41773

Is Apache HTTP vulnerable to path traversal?

CVE-2021-41773 was identified in October of 2021 after a change to the Apache HTTP (also known as httpd or apache2 depending on your operating system) codebase in release 2.4.49. This release changed the way httpd dealt with path normalization, which allowed encoded characters to bypass URL validation. This allowed read access to files that were not protected by httpd’s “require all denied” directive.

Is Apache HTTP vulnerable to remote code execution?

Included in the CVE discovery was that if httpd’s module ‘mod_cgi’ was loaded, the encoded character bypass could result in remote code execution. This was achieved by attaching a command to the request while passing the URL-encoded path to a shell binary (/bin/sh).

Testing

To test if you are vulnerable, this chain should be executed on the host that is running httpd or apache2. The first TTP will send a crafted cURL request that triggers the path traversal, while the other TTP will send a cURL request that triggers the remote code execution. The responses of these requests are verified to match the same file path or command output on the local box.

Remediation

If your system is vulnerable, the following information can help mitigate or remediate the findings:

  • Upgrade Apache to a version above 2.4.50 (2.4.50 attempted to fix this issue but failed to fully fix some edge cases as mentioned in CVE-2021-42013)
  • Ensure Apache configuration has the “require all denied” directive Additional remediation information can be found on Apache’s official website.

Check it out on the Prelude chains website.


Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VV_X_7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Is Apache HTTP vulnerable to path traversal?
Is Apache HTTP vulnerable to remote code execution?

Tactics