Earlier this week, the Apache Software Foundation released a patch to address the 0-day vulnerability CVE-2021-41773 in its HTTP web server. Already at the time of the release of the patches, the bug was actively exploited by hackers, and it was reported that the vulnerability allows attackers to carry out a path traversal attack by matching URLs to files outside the expected document root. As a result, such an attack could lead to leakage of CGI scripts and more.
The bug only affects Apache web servers running version 2.4.49, and the affected server must have the “require all denied” option disabled (unfortunately, this is the default configuration).
As we previously reported, a number of researchers were able to reproduce the vulnerability and quickly posted several experimental exploits on Twitter and GitHub. But now the publication Bleeping Computer writes that, during the development of exploits, experts discovered one important nuance: the vulnerability can be used not only for reading arbitrary files, but also for executing arbitrary code.
This was first noticed by cybersecurity researcher Hacker Fantastic, who reported that the problem turns into RCE in Linux systems if the server is configured to support CGI via mod_cgi. If an attacker can download a file using the path traversal exploit and set permissions to execute the file, he will be able to execute commands with the same privileges as the Apache process.
Other experts, including CERT analyst Will Dormann and cybersecurity researcher Tim Brown , report that code execution is possible on Windows machines. Now experts believe that CVE-2021-41773 could initially be classified incorrectly and, in fact, the problem is more serious than the developers thought.
“I didn’t do anything smart, I just played a publicly available PoC exploit on Windows and found calc.exe running,” Dormann told reporters. – Of course, Apache must be the vulnerable version 2.4.49, mod-cgi must be enabled, and Require all denied must also be disabled. But if all conditions are met, then CVE-2021-41773 will work as an RCE. “