frack113
41 lines
1.6 KiB
YAML
41 lines
1.6 KiB
YAML
title: CVE-2021-41773 Exploitation Attempt
|
|
id: 3007fec6-e761-4319-91af-e32e20ac43f5
|
|
status: experimental
|
|
description: |
|
|
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
|
|
An attacker could use a path traversal attack to map URLs to files outside the expected document root.
|
|
If files outside of the document root are not protected by "require all denied" these requests can succeed.
|
|
Additionally this flaw could leak the source of interpreted files like CGI scripts.
|
|
This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
|
references:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|
|
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
|
|
- https://twitter.com/ptswarm/status/1445376079548624899
|
|
- https://twitter.com/h4x0r_dz/status/1445401960371429381
|
|
- https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml
|
|
- https://twitter.com/bl4sty/status/1445462677824761878
|
|
author: daffainfo, Florian Roth
|
|
date: 2021/10/05
|
|
modified: 2023/01/02
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection:
|
|
cs-uri-query|contains:
|
|
- '/cgi-bin/.%2e/'
|
|
- '/icons/.%2e/'
|
|
- '/cgi-bin/.%%32%65/'
|
|
- '/icons/.%%32%65/'
|
|
- '/cgi-bin/.%%%25%33'
|
|
- '/icons/.%%%25%33'
|
|
sc-status:
|
|
- 200
|
|
- 301
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|