CVE-2021-42013 – Apache 2.4.50 路徑遍歷或遠端程式碼執行漏洞復現

# CVE-2021-42013 -- Apache 2.4.50 路徑遍歷或遠端程式碼執行漏洞復現 ## 漏洞環境安裝 Apache 2.4.50安裝 https://www.jianshu.com/p/dab051070963 ### 前置套件安裝安裝C語言編譯器gcc-5 ``` sudo apt-get install gcc-5 sudo ln -s /usr/bin/gcc-5 /usr/bin/gcc ``` 安裝C++編譯器 ``` sudo apt-get install g++-5 sudo ln -s /usr/bin/g++-5 /usr/bin/g++ ``` 安裝make ``` sudo apt-get install make ``` 安裝依賴套件 ``` sudo apt-get install libexpat1-dev ``` ### 安裝Apache2.4.50 下載所需原始碼文件 ``` cd /usr/local/src sudo wget https://archive.apache.org/dist/httpd/httpd-2.4.50.tar.gz sudo wget https://archive.apache.org/dist/apr/apr-1.7.0.tar.bz2 sudo wget https://archive.apache.org/dist/apr/apr-util-1.6.1.tar.bz2 sudo wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.45/pcre-8.45.tar.gz ``` 解壓縮`httpd`和`pcre`至`/usr/local/src` ``` sudo tar zxvf httpd-2.4.50.tar.gz httpd-2.4.50/ sudo tar zxvf pcre-8.45.tar.gz ``` 將`apr`和`apr-util`解壓縮至`/usr/local/src/httpd-2.4.50/srclib`目錄下 ``` sudo tar jxvf apr-1.7.0.tar.bz2 -C /usr/local/src/httpd-2.4.50/srclib sudo tar jxvf apr-util-1.6.1.tar.bz2 -C /usr/local/src/httpd-2.4.50/srclib ``` `apr-1.7.0`和`apr-util-1.6.1`改名為`apr`和`apr-util` ``` sudo mv /usr/local/src/httpd-2.4.50/srclib/apr-1.7.0 /usr/local/src/httpd-2.4.50/srclib/apr sudo mv /usr/local/src/httpd-2.4.50/srclib/apr-util-1.6.1 /usr/local/src/httpd-2.4.50/srclib/apr-util ``` 安裝`pcre` ``` cd /usr/local/src/pcre-8.45 sudo ./configure --prefix=/usr/local/pcre-8.45 sudo make sudo make install ``` 安裝`apache` ``` cd /usr/local/src/httpd-2.4.50 sudo ./configure --prefix=/usr/local/apache -with-pcre=/usr/local/pcre-8.45/bin/pcre-config -with-included-apr --enable-speling --enable-so --enable-rewrite sudo make sudo make install ``` 啟動Apache ``` cd /usr/local/apache/ ./apachectl start ``` ## 設定漏洞配置 `sudo vim /usr/local/apache/conf/httpd.conf` 於最尾端新增以下行數 ``` <IfModule !mpm_prefork_module> LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_prefork_module> LoadModule cgi_module modules/mod_cgi.so </IfModule> ``` ![image](https://hackmd.io/_uploads/r1ovhhf1C.png) >ServerName 127.0.0.1是防止他開起來會報錯 ![image](https://hackmd.io/_uploads/Hkua23fyC.png) 將`Include conf/extra/httpd-autoindex.conf`解除註解 ![image](https://hackmd.io/_uploads/BkSz3hfJA.png) 將下文`denied`改成`granted` ``` <Directory /> AllowOverride none Require all granted </Directory> ``` ![image](https://hackmd.io/_uploads/HkSJnnGyR.png) >到這邊就可以支援目錄遍歷漏洞，再往下開啟是支援RCE 將`ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"`的`""`去除他才會視為目錄 ![image](https://hackmd.io/_uploads/rJdwwnM10.png) ![image](https://hackmd.io/_uploads/HJ26inGJR.png) 重啟apache ``` ./apachectl restart ``` ## CVE-2021-42013漏洞PoC https://github.com/walnutsecurity/cve-2021-42013?tab=readme-ov-file 使用`python3 cve-2021-42013.py -u http://<server ip>`確認可成功利用 ![image](https://hackmd.io/_uploads/SJ5-RhM1A.png) ![image](https://hackmd.io/_uploads/Hk4fR2fkC.png)