Last week we released Shell Shocked to start our new theme that is based on CVEs. If you are interested in what our new theme is working to achieve, take a look at our motivation.

This week, we are releasing a total of three TTPs.

Two that target CVE-2021-41773:

• Is Apache HTTP vulnerable to path traversal?

• Is Apache HTTP vulnerable to remote code execution?

One that targets CVE-2021-3156:

• Are you vulnerable to Baron Samedit?

CVE-2021-41773

Find this chain on chains.prelude.org

Is Apache HTTP vulnerable to path traversal?

Apache HTTP - also known as httpd or apache2 - is an application found on many Linux web servers. In October 2021, it was discovered that the application was not normalizing file paths robustly, due to a change in the latest version, and was now allowing encoded characters to bypass URL validation. This change had a side effect: you could now access files on the server that were not supposed to be reachable.

Is Apache HTTP vulnerable to remote code execution?

Included in the CVE discovery was that if httpd’s module ‘mod_cgi’ was loaded on the application, the encoded character bypass could result in remote code execution (RCE). This was achieved by attaching a command to the request while passing the URL-encoded path to a shell binary (/bin/sh).

Testing

To test if you are vulnerable, this chain should be executed on the host that is running httpd or apache2. The first TTP will send a crafted cURL request that triggers the path traversal, while the other TTP will send a cURL request that triggers the remote code execution. The responses of these requests are verified to match the same file path or command output on the local box. Each will return a 0 (if exploitable) or a 1 (if not exploitable).

Remediation

If your system is vulnerable, the following information can help mitigate or remediate the findings:

• Upgrade Apache to a version above 2.4.50 (2.4.50 attempted to fix this issue but failed to fully fix some edge cases as mentioned in CVE-2021-42013)

• Ensure Apache configuration has the “require all denied” directive

Additional remediation information can be found on Apache’s official website.

Check it out on the Prelude chains website.

CVE-2021-3156

Are you vulnerable to Baron Samedit?

Sudo is a powerful program that is included in almost all Unix and Linux-based operating systems. It enables users to run applications with another user's security privileges. For more than 10 years, the vulnerability has been hidden in plain sight. Any unprivileged user who successfully exploits this vulnerability gains root access on the affected computer.

Testing

To test if you are vulnerable this chain should be executed on the host that you want to test. This TTP will attempt to overflow the buffer of sudoedit. If it is successful, a segmentation fault appears and you are vulnerable. Otherwise, the usage flags appear and the program has been patched.

Remediation

Given the scope of this vulnerability's attack surface, Prelude advises that users apply patches for this issue promptly by installing the latest version of Sudo:

https://www.sudo.ws/getting/download/#binary

Get our products

Download Prelude Operator: https://www.prelude.org
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VV_X_7
Sam: https://twitter.com/wasupwithuman