RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: "Tim Wadhwa-Brown (twadhwab)" &lt;twadhwab () cisco com&gt;

Date: Thu, 7 Oct 2021 06:01:43 +0000

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi oss-security folks,

Closing the loop on this one. Will Dormann, Hacker Fantastic and I successfully managed to turn this into RCE on both 
Windows and Linux. With mod_cgi (and maybe other similar extensions) enabled, Will showed he could get calc to pop on 
Windows and HF and I subsequently figured out how to trigger the bug on Linux to reach /bin/sh and POST a shell 
payload. Whilst the configuration may not be default it's probably worth doubling down on any efforts to get the patch 
rolled out if you're affected. There's a whole series of Twitter that I shan't bore you with but 
https://twitter.com/hackerfantastic/status/1445523890759819264?s=20 should be a good starting point if you want to read 
back.

Tim

PS Apologies for any email mangling, first time posting here in quite some time and sadly corporate mail client is no 
longer KMail ☹. Not sure if it will become a regular habit again.

Tim Wadhwa-Brown
Security Research Lead, CX Technology &amp; Transformation Group
twadhwab () cisco com
Tel: +44 208 824 0239
Mail Stop UXB10/3
82 Oxford Road,
Uxbridge,
UB8 1UX,
United Kingdom
cisco.com | labs.portcullis.co.uk

-----Original Message-----
From: Stefan Eissing &lt;icing () apache org&gt; 
Sent: 05 October 2021 10:03
To: oss-security () lists openwall com
Subject: [oss-security] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 

Severity: important

Description:

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path 
traversal attack to map URLs to files outside the expected document root.  

If files outside of the document root are not protected by "require all denied" these requests can succeed. 
Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.  

Credit:

This issue was reported by Ash Daulton along with the cPanel Security Team

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Attachment:
PGP.sig
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Stefan Eissing (Oct 05)

RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Tim Wadhwa-Brown (twadhwab) (Oct 07)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->