Achọtala vector ọgụ ọhụrụ maka sava Apache http, nke na-edochaghị na mmelite 2.4.50 ma na-enye ohere ịnweta faịlụ sitere na mpaghara na-abụghị akwụkwọ ndekọ mgbọrọgwụ saịtị ahụ. Tụkwasị na nke ahụ, ndị nchọpụta achọpụtala usoro nke na-enye ohere, n'ihu ụfọdụ ntọala ndị na-abụghị ọkọlọtọ, ọ bụghị nanị ịgụ faịlụ usoro, kamakwa iji mebie koodu ha na ihe nkesa. Nsogbu a na-apụta naanị na mwepụta 2.4.49 na 2.4.50; emetụtaghị ụdị nke mbụ. Iji kpochapụ adịghị ike ọhụrụ ahụ, ewepụtara Apache httpd 2.4.51 ngwa ngwa.
Na isi ya, nsogbu ọhụrụ ahụ (CVE-2021-42013) yiri kpamkpam na adịghị ike mbụ (CVE-2021-41773) na 2.4.49, naanị ihe dị iche bụ mgbanwe dị iche iche nke "..." odide. Karịsịa, na ntọhapụ 2.4.50 ikike iji usoro "% 2e" iji tinye koodu egbochiri, mana enwere ike ịmegharị koodu ugboro abụọ - mgbe akọwapụta usoro "%% 32% 65", ihe nkesa decoded ya. banye "%2e" wee banye ".", i.e. Enwere ike itinye mkpụrụedemede "../" nke ịga na ndekọ ndekọ aha gara aga ka ".%%32%65/".
Banyere iji ihe ọghọm ahụ site na mkpochapụ koodu, nke a ga-ekwe omume mgbe enyere mod_cgi aka wee jiri ụzọ isi mee ihe nke anabatara scripts CGI (dịka ọmụmaatụ, ma ọ bụrụ na enyere ntuziaka ScriptAlias ma ọ bụ akọwapụtara ọkọlọtọ ExecCGI na nke a. Ntuziaka nhọrọ). Ihe a chọrọ maka mbuso agha na-aga nke ọma bụ inye ohere nke akwụkwọ ndekọ aha n'ụzọ doro anya na faịlụ ndị enwere ike ime ya, dị ka / bin, ma ọ bụ ịnweta mgbọrọgwụ sistemụ faịlụ "/" na ntọala Apache. Ebe ọ bụ na anabataghị ohere dị otú ahụ, mwakpo mkpochapụ koodu nwere obere ngwa maka sistemụ arụmọrụ.
N'otu oge ahụ, ọgụ iji nweta ọdịnaya nke faịlụ sistemụ aka ike na ederede isi mmalite nke edemede weebụ, nke onye ọrụ na-agụ nke sava http na-agba ọsọ, ka dị mkpa. Iji mee mwakpo dị otú ahụ, ọ ga-ezuru inwe ndekọ ahaziri na saịtị ahụ site na iji ntuziaka "Alias" ma ọ bụ "ScriptAlias" (DocumentRoot ezughị), dị ka "cgi-bin".
Ọmụmaatụ nke nrigbu na-enye gị ohere ịrụ ọrụ “id” na sava ahụ: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32%65/.%% 32%65/.%%32%65/bin/sh' —data 'echo Content-Ụdị: ederede/plain; ikwughachi; id' uid = 1 (daemon) gid = 1 (daemon) otu = 1 (daemon)
Ihe atụ nke ịkpa ókè nke na-enye gị ohere igosipụta ọdịnaya nke / wdg / passwd na otu n'ime edemede weebụ (iji wepụta koodu edemede ahụ, akwụkwọ ndekọ aha akọwapụtara site na ntụziaka "Alias", nke na-emeghị ka ọ bụrụ ihe ederede, ga-akọwapụta ya. dị ka akwụkwọ ndekọ aha): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%65%32/.%%65%32/.% %65%192.168.0.1/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %%65%2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Nsogbu a na-emetụta nkesa na-emelite mgbe niile dị ka Fedora, Arch Linux na Gentoo, yana ọdụ ụgbọ mmiri nke FreeBSD. Ngwunye dị na ngalaba kwụsiri ike nke nkesa sava nchekwa Debian, RHEL, Ubuntu na SUSE adịghị emetụta adịghị ike ahụ. Nsogbu a anaghị eme ma ọ bụrụ na anabataghị ohere ịnweta akwụkwọ ndekọ aha n'ụzọ doro anya site na iji ntọala "chọrọ agọnahụ niile".
isi: opennet.ru