CVE-2021-41773 PoC — Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Source

https://github.com/corelight/CVE-2021-41773

Associated Vulnerability

Title:Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
Description:A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Description

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)

Readme

# CVE-2021-41773

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)  

References  
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773  
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013  
https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching  
https://corelight.com/blog/tag/corelight-labs  



## Installation  
`zkg install https://github.com/corelight/CVE-2021-41773/`  

Use against a pcap you already have  
`zeek -Cr scripts/__load__.zeek your.pcap`   


## Options and notes:

- This package will run in clustered or non clustered environments.

- To assist with IR triage of PATH_TRAVERSAL_IS_VULNERABLE notices, the 'sub' field will include the following data:  
	- The first 'http_body_analysis_byte_depth' in the notice for POST requests. Set this to a high number to collect all of the payload - the default of 1000 should be high enough to capture data required for triage. To change the amount of data included: `global http_body_analysis_byte_depth: count = 1000;`   
	- HTTP SERVER header value, for confirmation of Server version.  
	- The original URI, with all encodings present (prior to any decoding). Note by default, Zeek populates http.log with the DECODED version of the URI, not the originally sent version.  


## Example Notice

```
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open XXXX-XX-XX-XX-XX-XX
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	string	string	string	double	double

XXXXXXXXXX.XXXXXX	CT7T802QofJINCquNg	127.0.0.1	44740	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	Cj7NfN13Javpjxe831	127.0.0.1	44744	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CIhB6g4tQcEI34f1Z7	127.0.0.1	44748	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CMmr2q3Fe2wlSS2iUh	127.0.0.1	44752	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/.%2e/%2e%2e/.%2e/%2e%2e/%2e%2e/.%%32%65/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-
#close XXXX-XX-XX-XX-XX-XX

```

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!