/CVE-2021-41773

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)

Primary LanguageZeekBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

CVE-2021-41773

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)

References
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013
https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching
https://corelight.com/blog/tag/corelight-labs

Installation

zkg install https://github.com/corelight/CVE-2021-41773/

Use against a pcap you already have
zeek -Cr scripts/__load__.zeek your.pcap

Options and notes:

  • This package will run in clustered or non clustered environments.

  • To assist with IR triage of PATH_TRAVERSAL_IS_VULNERABLE notices, the 'sub' field will include the following data:

    • The first 'http_body_analysis_byte_depth' in the notice for POST requests. Set this to a high number to collect all of the payload - the default of 1000 should be high enough to capture data required for triage. To change the amount of data included: global http_body_analysis_byte_depth: count = 1000;
    • HTTP SERVER header value, for confirmation of Server version.
    • The original URI, with all encodings present (prior to any decoding). Note by default, Zeek populates http.log with the DECODED version of the URI, not the originally sent version.

Example Notice

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open XXXX-XX-XX-XX-XX-XX
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	string	string	string	double	double

XXXXXXXXXX.XXXXXX	CT7T802QofJINCquNg	127.0.0.1	44740	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	Cj7NfN13Javpjxe831	127.0.0.1	44744	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CIhB6g4tQcEI34f1Z7	127.0.0.1	44748	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-

XXXXXXXXXX.XXXXXX	CMmr2q3Fe2wlSS2iUh	127.0.0.1	44752	127.0.0.1	8000	-	-	-	tcp	CVE_2021_41773::PATH_TRAVERSAL_IS_VULNERABLE	Possible Apache 2.4.49 or 2.4.50 path traversal exploit CVE-2021-41773. Refer to https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773. Refer to sub field for sample of payload, original_URI and list of server headers	payload sample (first 1000 bytes of POST)='echo Content-Type: text/plain; echo; id', original_URI='/cgi-bin/.%%32%65/.%2e/%2e%2e/.%2e/%2e%2e/%2e%2e/.%%32%65/bin/sh', Server header value='Apache/2.4.49 (Unix)'	127.0.0.1	127.0.0.1	8000	-	-	Notice::ACTION_LOG	360XXXXXXXXXX.XXXXXX	-	-	-	-	-
#close XXXX-XX-XX-XX-XX-XX