Apache HTTP server recently fixed two security vulnerabilities, out of which a wildly exploited Zero-Day flaw was also existing. Attackers use a path traversal flaw existing in the application to map URLs to files outside the expected document root, leading to information disclosure. This zero-day CVE-2021-41773 is rated critical and is said to be exploited wildly. According to the Apache advisory published, the zero-day flaw also fixed another vulnerability, CVE-2021-41524, in the same patch. A null pointer dereferences flaw existing in the application allowed attackers to cause a denial-of-Service attack on the Server and is rated moderate by the Apache security team.
Zero-Day vulnerability (CVE-2021-41773)
Ash Daulton and the cPanel Security Team discovered this vulnerability on September 29th and reported it to the Apache security team. This vulnerability is introduced due to a change made to path normalization in an Apache HTTP Server version 2.4.49. The attacker used this path traversal flaw existing in the application to map URLs to files outside the expected document root. These requests succeed when the files outside the document root are not protected by the “require all denied” configuration. Additionally, attackers can also cause information disclosure by leaking the source of interpreted files like CGI scripts. Since this vulnerability is exploited in the wild, users of the Apache HTTP Server are advised to update to the patch version released immediately.
The below image displays the root cause of this vulnerability in the Apache HTTP Server vulnerable code. It fails to check the ‘/xx/.%2e/‘ characters in the payload, which the attackers use to exploit this zero-day. So this check is also implemented in the patch version as shown in the image.
Null pointer dereference vulnerability (CVE-2021-41524)
LI ZHI XIN from NSFocus Security Team reported this issue on September 17th to the Apache security team. Attackers can use a specially crafted HTTP/2 request to exploit the application’s null pointer dereference flaw existing in version 2.4.49. On successful exploitation, attackers will be able to cause a Denial-of-Service condition in the HTTP Server. Also, Apache claims that there is no trace of active exploitation of this vulnerability. Still, users need to upgrade their application to the patched version to stay protected from this flaw.
As the information about vulnerable payload was disclosed in public, many PoCs have been published in the Twitter accounts of Security researchers. Below is a one-liner PoC that can be used to perform the attack on a vulnerable Server. The attackers can get the “/etc/passwd” information as seen in the below image by using the payload “$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd”. This same part is used in the below script to fetch the /etc/passwd file information.
"cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done"
An attacker could exploit the path traversal, and null pointer dereference vulnerability existing in the affected version of Apache HTTP Server to map URLs to files outside the expected document root or cause an information disclosure and denial of service in the Server.
Apache HTTP Server version 2.4.49
Apache HTTP Server version 2.4.50
SanerNow VM detects these vulnerabilities. We strongly recommend applying the security updates for all vulnerabilities on high priority.