A recent security advisory has been released by Apache, reporting version 2.4.49 as being affected by a high risk path traversal and file disclosure vulnerability. The vulnerability was swiftly patched by Apache and users are being advised to upgrade to the latest version immediately. The issue was reported by Ash Daulton and the cPanel Security Team on September 17th, and patched by Apache on October 1st. Details of the original advisory can be found here.

Path traversal is a simple exploit which provides a threat actor a high impact attack vector. Successful exploitation allows an attacker to arbitrarily read access to files and directories outside of the web root directory. In some cases, a successful attack vector can lead to write access of the file system, which can lead to further more severe exploitation. According to the advisory this flaw could lead to the source of interpreted files like CGI scripts being leaked.

It should be noted that due to the simplicity of the vulnerability, proof of concepts and exploits are already emerging online. The original Apache advisory has highlighted “This issue is known to be exploited in the wild” and sources on social media are already demonstrating that this attack, with the right conditions, can be abused to carry out remote command execution. This means it is of paramount importance that affected users upgrade as soon as possible.

The good news is if you are an AppCheck customer you will already be ahead of the curve so to speak. This vulnerability is already being picked up by our scanners and actively being reported.

Investigation into the issue indicates that a number of pre-requisites are required in order for a successful attack to take place.

• Apache version 2.4.49 installed, other versions and branches are not affected
• The access control “require all denied” directive in the Apache configuration file is not set for files outside of the document web root.
• A successfully payload needs an existing path base in order to work. Common and default paths for example include cgi-bin and icons.

If you want to check if you are affected, the following safe and reliable proof of concept one liner can be used to echo back the hostname of the target server (cgi-bin should be replaced with an existing directory or alias):

curl -ski https://<hostname>/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/hostname

Using publicly available passive crawling and index services, such as Shodan, AppCheck have identified that at the time of writing that approximately 110,000 servers are potentially affected by this vulnerability.

As always with web application-based issues, user supplied input should not be explicitly trusted. Validating and sanitizing user supplied data accordingly. In the case of this issue, code changes to how the Apache HTTP server processed path normalization for the provided URL, failed to validate key characters. The Apache developers correctly validated against the ../ characters, typically used in a path traversal attacks. However, the validation failed to validate against URL encoded period characters (%2E), resulting in the issue.

To avoid path traversal issues, it is best practice to first resolve the path to an absolute path, and then check that this falls within the expected path. Furthermore, the web application server should also run with a dedicated user account with the least privileges to mitigate any possible compromise.

Apache have released a fix for this issue in the form of an updated patched version – 2.4.50. Users are advised to update as soon as possible.
Further details on Path Traversal issues and several remediation and mitigation steps are included in our blog post “URL parsing and Path Traversal”

UPDATE

A previous version of this article recommended updating to 2.4.50 to address the vulnerability in 2.4.49, however the fix in 2.4.50 has been now been shown to be incomplete therefore it is recommended to update to 2.4.51.

The initial fix published by Apache in 2.4.50 did not account for double URL encoded payloads for example %2e can be encoded into %%32%65 (2 is encoded to %32 and e is encoded to %65, with the original % left unencoded). This bypasses the checks implemented in 2.4.50 allowing successful exploitation.

The Apache Software Foundation have released 2.4.51 to address the Path Traversal and Remote Code Execution vulnerabilities in Apache HTTP Server 2.4.49 and 2.4.50. This is to address the incomplete fix for this issue released in 2.4.50. It is highly recommended to update to 2.4.51 as public exploit code is available for these issues and have been exploited in the wild. Note that versions other than 2.4.49 and 2.4.50 continue to be unaffected by this issue.

The good news is that AppCheck can already detect and report this new variation!