A new attack vector was found on the Apache http server, which remained unpatched in update 2.4.50 and allows access to files from areas outside the site's root directory. In addition, researchers have found a way that allows, in the presence of certain non-standard settings, not only to read system files, but also to remotely execute your code on the server. The problem appears only in releases 2.4.49 and 2.4.50, earlier versions of the vulnerability are not affected. Apache httpd 2.4.51 was quickly released to address the new vulnerability variant.
At its core, the new problem (CVE-2021-42013) is completely similar to the original vulnerability (CVE-2021-41773) in 2.4.49, the difference is only in a different character encoding ".." In particular, in release 2.4.50, the possibility of using the sequence "%2e" to encode a point was blocked, but the possibility of double encoding was missed - when specifying the sequence "%%32%65", the server decoded it into "%2e", and then into " .", i.e. the characters "../" to go to the previous directory could be encoded as ".%%32%65/".
As for the exploitation of the vulnerability through code execution, this is possible when mod_cgi is enabled and the base path is used, in which the execution of CGI scripts is allowed (for example, if the ScriptAlias ββdirective is enabled or the ExecCGI flag is specified in the Options directive). A mandatory requirement for a successful attack is also to explicitly grant access to directories with executable files, such as /bin, or access to the file system root "/" in the Apache settings. Since such access is usually not granted, the code execution attack is of little use to real systems.
At the same time, the attack on obtaining the contents of arbitrary system files and source texts of web scripts, available for reading by the user under which the http server is running, remains relevant. To carry out such an attack, it is enough to have a directory on the site configured using the "Alias" or "ScriptAlias" directives (DocumentRoot is not enough), such as "cgi-bin".
An example of an exploit that allows you to execute the "id" utility on the server: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%% 32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id' uid=1(daemon) gid=1(daemon) groups=1(daemon)
An example of exploits that allows you to display the contents of /etc/passwd and one of the web scripts (to return the script code, the directory defined through the "Alias" directive, for which script execution is not enabled, must be specified as the base directory): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%65%32/.%%65%32/.%%65%192.168.0.1/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/.%%65%2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
The problem affects mainly continuously updated distributions such as Fedora, Arch Linux and Gentoo, as well as ports of FreeBSD. Packages in the stable branches of the conservative Debian, RHEL, Ubuntu, and SUSE server distributions are not affected. The problem does not occur if directory access is explicitly denied using the "require all denied" setting.
Source: opennet.ru