CVE-2021-41773 Exploitation Attempt
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Sigma rule (View on GitHub)
1title: CVE-2021-41773 Exploitation Attempt
2id: 3007fec6-e761-4319-91af-e32e20ac43f5
3status: test
4description: |
5 Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
6 An attacker could use a path traversal attack to map URLs to files outside the expected document root.
7 If files outside of the document root are not protected by "require all denied" these requests can succeed.
8 Additionally this flaw could leak the source of interpreted files like CGI scripts.
9 This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
10references:
11 - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
12 - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
13 - https://twitter.com/ptswarm/status/1445376079548624899
14 - https://twitter.com/h4x0r_dz/status/1445401960371429381
15 - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml
16 - https://twitter.com/bl4sty/status/1445462677824761878
17author: daffainfo, Florian Roth
18date: 2021-10-05
19modified: 2023-01-02
20tags:
21 - attack.initial-access
22 - attack.t1190
23 - cve.2021-41773
24 - detection.emerging-threats
25logsource:
26 category: webserver
27detection:
28 selection:
29 cs-uri-query|contains:
30 - '/cgi-bin/.%2e/'
31 - '/icons/.%2e/'
32 - '/cgi-bin/.%%32%65/'
33 - '/icons/.%%32%65/'
34 - '/cgi-bin/.%%%25%33'
35 - '/icons/.%%%25%33'
36 sc-status:
37 - 200
38 - 301
39 condition: selection
40falsepositives:
41 - Unknown
42level: high
References
-
Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* Changed Reference Type http://packetstormsecurity.com/files/164418/Apach...
Read More -
…ded dot. Otherwise ap_normalize_path() can leave some "%2e" encoded. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893724 13f79535-47bb-0310-9956-ffa450edef68
Read More -
Community curated list of templates for the nuclei engine to find security vulnerabilities. - projectdiscovery/nuclei-templates
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt