Apache HTTP Zero-day CVE-2021-41773 fix Bypassed With CVE-2021-42013

Apache Path Traversal Vulnerabilities (CVE-2021-41773) bypass and achieve another RCE

A couple of days back we have reportedPath Traversal Vulnerabilities (CVE-2021-41773) in Apache HTTP Server 2.4.49, which was exploited in wild. As soon as the details of the bug were revealed PoC exploit of vulnerability was released. An attacker could use a path traversal attack to map URLs to access files outside the document root directory of web servers based on Apache. 

Apache developer team patched the bug and released the latest version 2.4.50. A security researcher, Shungo Kumasaka have found a way to bypass the fix of CVE-2021-41773. In the blog post, he detailed his finding.

In Apache HTTP Server 2.4.49, as introduced, the process of checking " .. " is included but this checking process missed some consideration for the percent-encoded ". " String. This allowed path traversal when the percent-encoded " . ", " % 2E " and " % 2e " were used.

In Apache HTTP Server 2.4.50 , the processing has been changed so that " % 2E " and " % 2e " are also checked. As a result of this change (fix of CVE-2021-41773), it now responds with a " 400 Bad Request " to path traversals using " % 2E " and " % 2e ".

From above he noticed that the evaluation pattern for the path was fixed. Therefore, he evaluated whether the countermeasures work for character strings other than " % 2E " and " % 2e ". Later on, he found that percent-encoding is evaluated recursively. For example - " %% 35% 66 " is converted to " % 5f " and interpreted as " _ "

So based on the above scenario he managed to create the attack code and tested it on Apache HTTP Server 2.4.50. With his crafted attack code, he successfully bypass the CVE-2021-41773 fix on Apache HTTP Server 2.4.50. 

Kumasaka contacted the Apache Security Team with his bypass and PoC exploit. Apache team confirmed the bypass and released another fix with version 2.4.51, also they allotted this bypass with CVE as CVE-2021-42013.

Finally, Kumasaka recommended all admins who are using Apache HTTP Server 2.4.49 or 2.4.50 to upgrade the server to 2.4.51. If you cannot upgrade, you can avoid it by setting Apache HTTP Server so that the directory outside DocumentRoot is " require all denied " as described in the Apache advisory. However, it is recommended to upgrade because there is a possibility that a vulnerability may occur due to the omission of consideration in the configuration file.