oss-sec mailing list archives
RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
From: "Tim Wadhwa-Brown (twadhwab)" <twadhwab () cisco com>
Date: Thu, 7 Oct 2021 06:01:43 +0000
Hi oss-security folks, Closing the loop on this one. Will Dormann, Hacker Fantastic and I successfully managed to turn this into RCE on both Windows and Linux. With mod_cgi (and maybe other similar extensions) enabled, Will showed he could get calc to pop on Windows and HF and I subsequently figured out how to trigger the bug on Linux to reach /bin/sh and POST a shell payload. Whilst the configuration may not be default it's probably worth doubling down on any efforts to get the patch rolled out if you're affected. There's a whole series of Twitter that I shan't bore you with but https://twitter.com/hackerfantastic/status/1445523890759819264?s=20 should be a good starting point if you want to read back. Tim PS Apologies for any email mangling, first time posting here in quite some time and sadly corporate mail client is no longer KMail ☹. Not sure if it will become a regular habit again. Tim Wadhwa-Brown Security Research Lead, CX Technology & Transformation Group twadhwab () cisco com Tel: +44 208 824 0239 Mail Stop UXB10/3 82 Oxford Road, Uxbridge, UB8 1UX, United Kingdom cisco.com | labs.portcullis.co.uk -----Original Message----- From: Stefan Eissing <icing () apache org> Sent: 05 October 2021 10:03 To: oss-security () lists openwall com Subject: [oss-security] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Severity: important Description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. Credit: This issue was reported by Ash Daulton along with the cPanel Security Team References: https://httpd.apache.org/security/vulnerabilities_24.html
Attachment:
PGP.sig
Description:
Current thread:
- CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Stefan Eissing (Oct 05)
- RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Tim Wadhwa-Brown (twadhwab) (Oct 07)