Contents
Introduction to Apache Web Server
CVE 2021-41773 Vulnerability Background
Identification of CVE 2021-41773 Vulnerability
The exploitation of CVE 2021-41773
Remediations for CVE 2021-41773
Conclusion
References
Introduction to Apache Web Server:
Apache is one of the most popular open-source web servers available in the market for both Windows and Linux operating systems. It is one of the reliable and flexible web servers available for various purposes ranging from simple web hosting to some complex web application hosting and management. Apache supports server-side languages like PHP, Perl, Python etc., Also it is possible to run java based web applications using Apache tomcat server which is mainly used to run java applications.
.png)
The above image shows the default install location of the Apache server’s configuration and modules.
CVE 2021-41773 Vulnerability Background:
On October 5 2021, the Apache HTTP server Project patched a critical path traversal zero-day vulnerability with CVE ID 2021-41773. The vulnerability was disclosed to the Apache HTTP Server Project on September 29 by Ash Daulton and the cPanel Security Team.
This vulnerability is introduced to the apache server version 2.4.49 with “require all denied” access control configuration disabled. The exploitation is possible only if files outside of the document root are not protected by the “require all denied” directive in the Apache configuration file. Therefore, any default install of apache 2.4.49 servers are vulnerable to this attack.
Successful exploitation would give a remote attacker access to arbitrary files outside of the document root on the vulnerable web server. According to the advisory, this flaw could also leak “the source of interpreted files like CGI scripts” which may contain sensitive information attackers can exploit for further attacks.
Using search engines like Shodan, we were able to find thousands of servers using the apache web server 2.4.49 version as shown below.
.png)
Identification of CVE 2021-41773 Vulnerability:
For demonstration purposes, we have set up a vulnerable version of the Apache webserver in our local machine as shown below.
.png)
We have used the Nmap port scanner with a version detection switch to identify the apache server’s version. The scan output confirms that the remote server is using a vulnerable version of the apache server.
.png)
Tenable Nessus has released a set of plugins to identify the vulnerability in apache servers deployed by organizations. Besides scanning the server, it is possible to manually identify the vulnerability by using the curl command to execute a path traversal attack on the server.
As shown below we have sent the curl command with –path-as-is switch to make sure the curl utility sends the exact path of the URL without removing the dot segments. This will ensure our payload executes on the server-side and gets the desired result.
The exploitation of CVE 2021- 41773 Vulnerability:
In the above step, we have confirmed that the apache server is vulnerable and it is possible to access server files like /etc/passwd outside of web directory using path traversal vulnerability. Now we will see how we can escalate this into remote code execution vulnerability.
Since the vulnerability relies on path traversal attacks, an attacker can access the shell command (/bin/sh) using a path traversal attack and execute arbitrary system commands on the remote server.
In Below Image, we have to use the Curl utility to execute shell commands in the remote server via POST request containing the actual shell command.
.png)
Code execution can also be done from the burp suite tool using the same payload with different shell commands as shown below.
.png)
Remediations to Protect against CVE 2201-41773:
• Upgrade the Apache Installation to the secure 2.4.51 version
• It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
• Enable the “Require all Denied” directive in the Apache configuration file to restrict access to files outside the document root.
• Implement standard Vulnerability Patch Management in the organization.
• Configure Web Application firewall to restirct path traversal characters (../ /.., /../)
• Conduct Regular Application Security assessments on deployed web servers and applications to identify and mitigate the latest vulnerabilities.
Conclusion:
Apache is one of the widely used Web servers for websites and applications around the globe. Vulnerabilities like CVE 2021 41773 Path traversal and RCE can pose a greater threat to any organization that relies on this Web Server for their business. Hence, it is necessary to apply continuous application security procedures based on application security standards like OWASP Top 10, SANS, ISO 27001 for the websites and applications used by organizations.