Apache recently released patches for a zero-day vulnerability affecting versions 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013) of its web server on both Windows and Linux servers. The zero-day vulnerability was a directory traversal that could allow an attacker to access arbitrary files on the web server. Directory traversal (also known as path traversal), is an attack that uses the sequence
../../../../ in the URL to access files that exist outside the web server document root. This can be exploited to access files that should never be accessed from the web server such as the
/etc/passwd file via
../../../../etc/passwd. In the case of this vulnerability, the attack was URL encoded as below where
%2e is the URL-encoded equivalent of the dot character:
Where the vulnerability exists another issue arises where it can also lead to remote code execution if CGI scripts are enabled. In this case the directory traversal sequence is used to execute a command that is passed to the shell from the request body:
curl --data 'echo; $cmd' '$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh'
This attack can be leveraged to execute arbitrary commands on the web server and ultimately lead to comprising the host.
According to the Apache security advisory, the vulnerability arose due to a change that was made in path normalization in Apache web server 2.4.49. This resulted in the URL path not being correctly validated and did not block the
%2e sequences. While the issue was originally thought to only affect version 2.4.49, it was found that version 2.4.50 was also affected as the released patch was found to be an incomplete fix for the issue. This was because
%%32%65 (the URL-encoded equivalent of
%2e) could be used to bypass the path validation that was used by version 2.4.50:
As a result, Apache released another patch in version 2.4.51. However, the impact of the vulnerability is mitigated as it is not exploitable as long as the ‘require all denied’ configuration is present, which prevents accessing files outside the document root and is enabled by default.