Fresh Apache Vulnerability May Lead to Remote Code Execution

Fresh vulnerability in Apache
Written by Emma Davis

Earlier this week, the Apache Software Foundation released a patch to address the fresh 0-day vulnerability CVE-2021-41773 in its HTTP web server. Already at the time of the release of the patches, the bug was actively exploited by hackers, and it was reported that the vulnerability allows attackers to carry out a path traversal attack by matching URLs to files outside the expected document root. As a result, such an attack could lead to leakage of CGI scripts and more.

The vulnerability affects only Apache web servers running version 2.4.49. Also, the vulnerable server must have the “require all denied” option disabled, but unfortunately this is the default configuration.

Traversal attacks involve sending requests to access internal or confidential server directories that must be out of reach. Usually these requests are blocked, but in this case the filters are bypassed by using encoded characters (ASCII) for the URLs.the journalists of Bleeping Computer write.

As we previously reported, a number of researchers were able to reproduce the vulnerability and quickly posted several experimental exploits on Twitter and GitHub. But now the publication Bleeping Computer writes that, during the development of exploits, experts discovered one important nuance: the vulnerability can be used not only for reading arbitrary files, but also for executing arbitrary code.

The bug occurs because of the way Apache performs the conversion of various URL path schemes (a process called URI normalization).

This was first noticed by cybersecurity researcher Hacker Fantastic, who reported that the problem turns into RCE in Linux systems if the server is configured to support CGI via mod_cgi. If an attacker can download a file using the path traversal exploit and set permissions to execute the file, he will be able to execute commands with the same privileges as the Apache process.

Other experts, including CERT analyst Will Dormann and cybersecurity researcher Tim Brown, report that code execution is possible on Windows machines. Now experts believe that CVE-2021-41773 may have initially been classified incorrectly and, in fact, the problem is more serious than the developers thought.

I didn’t do anything smart, I just played a publicly available PoC exploit on Windows and found calc.exe running, Dormann told reporters. – Of course, Apache must be the vulnerable version 2.4.49, mod-cgi must be enabled, and Require all denied must also be disabled. But if all conditions are met, then CVE-2021-41773 will work as an RCE.

CVE-2021-41773

Let me remind you that we also reported that VMware Alerts That Critical Vulnerability Has Been Found In vCenter Server.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.