Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 7 Oct 2021 06:01:43 +0000
From: "Tim Wadhwa-Brown (twadhwab)" <twadhwab@...co.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: RE: CVE-2021-41773: Path traversal and file disclosure
 vulnerability in Apache HTTP Server 2.4.49 

Hi oss-security folks,

Closing the loop on this one. Will Dormann, Hacker Fantastic and I successfully managed to turn this into RCE on both Windows and Linux. With mod_cgi (and maybe other similar extensions) enabled, Will showed he could get calc to pop on Windows and HF and I subsequently figured out how to trigger the bug on Linux to reach /bin/sh and POST a shell payload. Whilst the configuration may not be default it's probably worth doubling down on any efforts to get the patch rolled out if you're affected. There's a whole series of Twitter that I shan't bore you with but https://twitter.com/hackerfantastic/status/1445523890759819264?s=20 should be a good starting point if you want to read back.

Tim

PS Apologies for any email mangling, first time posting here in quite some time and sadly corporate mail client is no longer KMail ☹. Not sure if it will become a regular habit again.

Tim Wadhwa-Brown
Security Research Lead, CX Technology & Transformation Group
twadhwab@...co.com
Tel: +44 208 824 0239
Mail Stop UXB10/3
82 Oxford Road,
Uxbridge,
UB8 1UX,
United Kingdom
cisco.com | labs.portcullis.co.uk

-----Original Message-----
From: Stefan Eissing <icing@...che.org> 
Sent: 05 October 2021 10:03
To: oss-security@...ts.openwall.com
Subject: [oss-security] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 

Severity: important

Description:

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.  

If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.  

Credit:

This issue was reported by Ash Daulton along with the cPanel Security Team

References:

https://httpd.apache.org/security/vulnerabilities_24.html


Download attachment "PGP.sig" of type "application/pgp-signature" (822 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.