[ SB 21.20 ] Critical Bug in Apache HTTPD can lead to RCE (CVE-2021-41773)

Apache HTTPD Advisory

A flaw was found in Apache HTTP Server where an attacker could use a path traversal attack to map URLs to files outside the expected document root.

If files outside of the document root are not protected by "require all denied" these requests can succeed. This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.

CVE       : CVE-2021-41773
Vendor    : Apache
Product   : HTTPD

Patches   : available
Exploits  : exploits available (RCE as well)

Exploits and scanners

Test-POC and scanner-signatures are available since 2021-10-05 1600 UTC, since 2021-10-06 0100 UTC also an RCE-POC.

Massscanning started within 12hours

RCE-POC by hackerfantastic
nuclei-sig
bad packets: We've detected mass scanning activity

rce

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Fragen? Kontakt: info@zero.bs

Filed: Wed 06 October 2021 | Security Bulletin | Tags: apache 0day rce httpd

[ SB 21.20 ] Critical Bug in Apache HTTPD can lead to RCE (CVE-2021-41773)

Exploits and scanners

References:

Main-Links

Blog

OSS & Projects