This week, we are releasing 2 TTPs that target CVE-2021-41773:
CVE-2021-41773 was identified in October of 2021 after a change to the Apache HTTP (also known as httpd or apache2 depending on your operating system) codebase in release 2.4.49. This release changed the way httpd dealt with path normalization, which allowed encoded characters to bypass URL validation. This allowed read access to files that were not protected by httpd’s “require all denied” directive.
Included in the CVE discovery was that if httpd’s module ‘mod_cgi’ was loaded, the encoded character bypass could result in remote code execution. This was achieved by attaching a command to the request while passing the URL-encoded path to a shell binary (/bin/sh).
To test if you are vulnerable, this chain should be executed on the host that is running httpd or apache2. The first TTP will send a crafted cURL request that triggers the path traversal, while the other TTP will send a cURL request that triggers the remote code execution. The responses of these requests are verified to match the same file path or command output on the local box.
If your system is vulnerable, the following information can help mitigate or remediate the findings:
Check it out on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg