Using a CVE-2021-42013 Apache 2.4.50 exploit in the wild
- An overwrite of the original Apache configuration (Require all denied) to a permissive one
- CGI script execution enabled
- And of course, you will need a functioning Apache 2.4.50 exploit.
Reproducing
We can easily reproduce a vulnerable host by using a Docker image provided by jas9reet:
By following the setup instructions from the container’s description we can set up our lab in no time. To get the IP address of our container, we can use the following command:$ docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
An exploit written in C can be found in the GitHub repository CVE-2021-42013.
Download the source and compile it:
Alternatively, you can download a prebuilt release.
We can now run this exploit against the Docker container we have set up earlier:
As we can see, the execution of the exploit was easy and we have received the passwd file we requested in our payload argument.
Taking it up a notch
To research this vulnerability further and estimate the number of vulnerable systems, we need to find hosts running Apache 2.4.50. For this task, we can use services such as Shodan or Censys. Another, more traditional approach is to use the port scanning software, such as nmap or masscan:
The result can then be formatted using cat, tr, and cut utilities:
Finally, load up the new host file into nmap for banner grabbing:
After some waiting, nmap finally went through the ~280k host file supplied and saved the results in a text file. After going through random samples from the results manually, we did get some hits with our compiled Apache 2.4.50 exploit:
However, few hosts were running this specific version of Apache HTTPd, and even fewer were vulnerable to the attack.
With around roughly 1.5 thousand hosts running Apache 2.4.50 according to Censys, and with about one in six vulnerable, we get mere hundreds of exploitable systems as of May 2022.