150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773).Uid=1(daemon) gid=1(daemon) groups=1(daemon) Detecting the Vulnerabilities with Qualys WASĬustomers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs: _apt:x:100:65534::/nonexistent:/usr/sbin/nologin Exploitation: Remote Code Execution in double URL encode format as %%32%65%%32%65/ Exploitation: Path Traversal Thus a dot is equivalent to %%32%65 which eventually converts. The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50 Encoding Analysis About CVE-2021-42013ĬVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack. Looking at the HTTP POST request for RCE, we can understand /bin/sh is the system binary that executes the payload echo id and print the output of id command in response. Uid=1(daemon) gid=1(daemon) groups=1(daemon) While CVE-2021-41773 was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when mod_cgi module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests. Please note that the default configuration of Apache HTTP server has the entire filesystem directory directive configured as Require all denied and hence is not vulnerable. Gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin List:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin Uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin News:x:9:9:news:/var/spool/news:/usr/sbin/nologin Mail:x:8:8:mail:/var/mail:/usr/sbin/nologin Lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin Man:x:6:12:man:/var/cache/man:/usr/sbin/nologin Games:x:5:60:games:/usr/games:/usr/sbin/nologin Vulnerable Configuration:ĭaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin %2e/ and bypasses the check.Īlong with Path traversal check bypass, for an Apache HTTP server to be vulnerable, the HTTP Server configuration should either contain the directory directive for entire server’s filesystem as Require all granted or the directory directive should be completely missing from the configuration file. Hence when URL encoding the second dot as %2e, the logic fails to recognize %2e as dot thereby not decoding it, this converts the characters. To prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. The path traversal vulnerability was introduced due to the new code change added for path normalization i.e., for URL paths to remove unwanted or dangerous parts from the pathname, but it was inadequate to detect different techniques of encoding the path traversal characters “dot-dot-slash (./)” About CVE-2021-41773Īccording to CVE-2021-41773, Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or greater. With both the CVEs being actively exploited, Qualys Web Application Scanning has released QID 150372, 150373, 150374 which sends specially crafted HTTP request to the target server to determine if it is exploitable. " God Bless the Child" ( Billie Holiday, Arthur Herzog Jr.As the vulnerabilities are configuration dependent, checking the version of Apache web server is not enough to identify vulnerable servers." Ain't Nobody's Business If I Do" ( Porter Grainger, Everett Robbins) - 3:20." Don't Explain" ( Billie Holiday, Arthur Herzog Jr.) - 3:24."Deep Song" (George Cory, Douglass Cross) - 3:13.By the time this album was released, she was on Norman Granz's jazz label Verve Records. The featured songs on the album are from when Holiday was signed with Decca in the mid to late 1940s. The Lady Sings (DL 8215) is a compilation album by jazz singer Billie Holiday, released by Decca Records in 1956.
0 kommentar(er)
