Context Navigation

← Previous Ticket
Next Ticket →

#15650 closed enhancement (fixed)

httpd-2.4.51

Reported by:	Bruce Dubbs	Owned by:	thomas
Priority:	high	Milestone:	11.1
Component:	BOOK	Version:	git
Severity:	normal	Keywords:
Cc:

Description ¶

New point version.

Change History (12)

comment:1 by thomas, 4 years ago

Owner:	changed from blfs-book to thomas
Status:	new → assigned

comment:2 by ken@…, 4 years ago

Bad news, although 2.4.50 fixes an issue in (only) 2.4.49, it has just got its own CVE for an incomplete fix https://www.openwall.com/lists/oss-security/2021/10/07/6

For the issue in 2.4.49 see e.g. https://www.openwall.com/lists/oss-security/2021/10/07/1

comment:3 by ken@…, 4 years ago

Looks as is 2.4.51 is out, release notes are at https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES but I do not see a tarball at the moment

comment:4 by thomas, 4 years ago

https://dlcdn.apache.org//httpd/httpd-2.4.51.tar.bz2 is available now.

Version 0, edited 4 years ago by thomas (next)

comment:5 by thomas, 4 years ago

Changes with Apache 2.4.51

*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code

Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (cve.mitre.org) It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. Credits: Reported by Juan Escobar from Dreamlab Technologies, Fernando MuÃ±oz from NULL Life CTF Team, and Shungo Kumasaka

*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate

unused AP_NORMALIZE_DROP_PARAMETERS flag. [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]

comment:6 by thomas, 4 years ago

Resolution:	→ fixed
Status:	assigned → closed

Fixed in [01825fd]

comment:7 by ken@…, 4 years ago

Priority:	normal → elevated

Belatedly marking as elevated.

comment:8 by Douglas R. Reno, 4 years ago

Priority:	elevated → high

Marking as High. Easy to achieve remote code execution (from oss-security):

RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.50
(CVE-2021-42013): root@CT406:~# curl
'http://192.168.0.191/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'
--data 'echo Content-Type: text/plain; echo; id' uid=1(daemon)
gid=1(daemon) groups=1(daemon)

I will attempt an SA for this, VIM, and PHP later today or early tomorrow.

comment:9 by Douglas R. Reno, 4 years ago

On an LFS system, I did (2.4.49):

curl "http://127.0.0.1/cgi-bin/../../../../bin/sh" --data "echo Content-Type: text/plain; echo; id"

I get:

uid=25(apache) gid=25(apache) groups=25(apache)

Thank you Thomas for updating this as quickly as you did!

comment:10 by Douglas R. Reno, 4 years ago

Summary:	httpd-2.4.50 → httpd-2.4.51

comment:11 by Douglas R. Reno, 4 years ago

(Note that you have to have mod_cgi enabled for this to work as well)

comment:12 by Douglas R. Reno, 4 years ago

I see that we do have an SA for this, my apologies for the noise - I will probably update that to note that it's easily exploitable and has been exploited in the wild.

Note: See TracTickets for help on using tickets.

Download in other formats: