Oct. 7, 2021, US-CERT (United States Computer Emergency Readiness Team) tweeted “Active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation. Please patch immediately if you haven’t already – this cannot wait until after the weekend.”
CISA (Cybersecurity & Infrastructure Security Agency) further explained this “flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased patches, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.”
In RidgeBot plugin library 2.10.5, the scripts to detect and exploit both CVEs have been released. With the release of RidgeBot 3.7 and above, you can test whether your website server can be exploited by such a vulnerability. This short video shows a quick example.
The target webserver was installed with Apache2_2.4.49, and we put it into a test by RidgeBot. The payload we’re using is “
POST/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1. ”
With this payload, we successfully exploited the vulnerability CVE-2022-41773 and gained the web shell of the target machine. As a result, we can launch commands to the browser through the directories of the compromised target.
This is exactly what a hacker would do – locating vulnerable targets on the open internet by auto-scanning and then launching an attack to exploit these targets. Once they succeed, they can see what RidgeBot is presenting here. If you would like to test your environment one step ahead of the hackers, please contact us. You can either use RidgeBot to discover whether your environment is vulnerable and exploitable to this CVE, or validate if your patch has been effective.