漏洞平台

POC详情： 73d2319b3164b789cf670a141558b04f74ea76e9

来源

https://github.com/corelight/CVE-2021-41773

关联漏洞

标题： Apache HTTP Server 路径遍历漏洞 (CVE-2021-41773)
描述：Apache HTTP Server是美国阿帕奇（Apache）基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.49版本存在路径遍历漏洞，攻击者可利用该漏洞使用路径遍历攻击将URL映射到预期文档根以外的文件。

描述

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)

介绍

# CVE-2021-41773

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)  

References  
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773  
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013  
https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching  
https://corelight.com/blog/tag/corelight-labs  



## Installation  
`zkg install https://github.com/corelight/CVE-2021-41773/`  

Use against a pcap you already have  
`zeek -Cr scripts/__load__.zeek your.pcap`   


## Options and notes:

- This package will run in clustered or non clustered environments.

- To assist with IR triage of PATH_TRAVERSAL_IS_VULNERABLE notices, the 'sub' field will include the following data:  
	- The first 'http_body_analysis_byte_depth' in the notice for POST requests. Set this to a high number to collect all of the payload - the default of 1000 should be high enough to capture data required for triage. To change the amount of data included: `global http_body_analysis_byte_depth: count = 1000;`   
	- HTTP SERVER header value, for confirmation of Server version.  
	- The original URI, with all encodings present (prior to any decoding). Note by default, Zeek populates http.log with the DECODED version of the URI, not the originally sent version.  


## Example Notice

```
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open XXXX-XX-XX-XX-XX-XX
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	string	string	string	double	double

XXXXXXXXXX.XXXXXX	CT7T802QofJINCquNg	127.0.0.1	44740	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	Cj7NfN13Javpjxe831	127.0.0.1	44744	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CIhB6g4tQcEI34f1Z7	127.0.0.1	44748	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CMmr2q3Fe2wlSS2iUh	127.0.0.1	44752	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/.%2e/%2e%2e/.%2e/%2e%2e/%2e%2e/.%%32%65/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-
#close XXXX-XX-XX-XX-XX-XX

```

文件快照


 [4.0K]  /data/pocs/73d2319b3164b789cf670a141558b04f74ea76e9
├── [1.5K]  LICENSE
├── [4.5K]  README.md
├── [4.0K]  scripts
│   ├── [ 650]  config.zeek
│   ├── [2.1K]  CVE_2021_41773.zeek
│   ├── [1.1K]  http_body_analysis.zeek
│   └── [  80]  __load__.zeek
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   └── [4.0K]  CVE-2021-41773.detect
│   │       └── [2.1K]  notice.log
│   ├── [ 561]  btest.cfg
│   ├── [4.0K]  CVE-2021-41773
│   │   └── [ 233]  detect.zeek
│   ├── [ 454]  go_perf.sh
│   ├── [  15]  Makefile
│   ├── [ 193]  random.seed
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   └── [1.3K]  get-zeek-env
│   └── [4.0K]  Traces
│       └── [6.0K]  apache_exploit_success.pcap
└── [ 414]  zkg.meta

7 directories, 16 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。