Kwanan nan labari ya bazu cewa sami sabon vector na kai hari kan sabar http na Apache, wanda ya kasance ba a haɗa shi ba a cikin sabuntawar 2.4.50 kuma yana ba da damar samun fayil daga wuraren da ke waje da tushen tushen rukunin yanar gizon.
Bugu da kari, masu binciken sun sami hanyar da, a gaban wasu jeri marasa daidaituwa, ba kawai karanta fayilolin tsarin ba, har ma suna gudana nesa da lambar ku akan sabar.
CVE-2021-41773 akan Apache HTTP Server 2.4.50 bai isa ba. Maharin zai iya amfani da hanyar wucewar hanya don tsara taswirar URL zuwa fayiloli a waje da kundayen adireshi da aka tsara ta umarni masu kama da Aliases. Idan fayilolin da ke waje da waɗannan kundayen adireshin ba su da kariya ta sabuntar tsoho "na buƙatar duk musun", waɗannan buƙatun na iya yin nasara. Idan an kunna rubutun CGI don waɗannan facin da ba a san su ba, wannan na iya ba da izinin aiwatar da lambar nesa. Wannan batun yana shafar kawai Apache 2.4.49 da Apache 2.4.50 kuma ba sigogin farko ba.
A cikin mahimmanci, sabuwar matsalar (wacce aka riga aka jera a matsayin CVE-2021-42013) gaba daya yayi kama da raunin asali (CVE-2021-41773) a 2.4.49, Bambanci kawai shine a cikin rikodin haruffa daban -daban.
Kuma shi ne na musamman, a sigar 2.4.50 an toshe yiwuwar amfani da jerin "% 2e" don rikodin wani batu, amma ae ya rasa yiwuwar rikodin sau biyu: ta hanyar tantance jerin "%% 32% 65", uwar garken ya canza cikin "% 2e", sannan a cikin ".", watau haruffan ". %% 32% 65 / ».
Dukansu CVEs a zahiri kusan hanya ɗaya ce ta raunin rauni (na biyu shine bai cika gyara na farko ba). Hanyar hanya tana aiki ne kawai daga taswirar URI (alal misali, ta umarnin Apache "Alias" ko "ScriptAlias"). DocumentRoot kadai bai isa ba
Game da amfani da wani rauni ta hanyar kisa, wannan yana yiwuwa idan an kunna mod_cgi kuma ana amfani da hanyar tushe wanda aka ba da izinin rubutun CGI don yin aiki (alal misali, idan an kunna umarnin ScriptAlias ko an bayyana tutar ExecCGI a cikin umarnin Zaɓi).
An ambaci cewa abin da ake buƙata don cin nasarar harin shima shine a bayyane ya bayar da damar shiga cikin tsarin Apache zuwa kundayen adireshi tare da fayilolin aiwatarwa, kamar / bin, ko samun dama ga tushen FS " /". Tunda ba a ba da irin wannan damar ba, harin kisa ba shi da fa'ida ga tsarin gaske.
RCE tana amfani da duka don Apache 2.4.49 (CVE-2021-41773) da 2.4.50 (CVE-2021-42013):
root @ CT406: ~ # curl 'http://192.168.0.191/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.% % 32% 65 / bin / sh '–data' echo Content-Type: rubutu / fili; jefa; tafi '
uid = 1 (daemon) gid = 1 (daemon) ƙungiyoyi = 1 (daemon)- ☠ Román Medina-Heigl Hernández (@roman_soft) Oktoba 7, 2021
A lokaci guda, harin kan samun abun cikin fayil Lambobin tsarin sabani da matani na rubutun yanar gizo waɗanda akwai don karatun mai amfani a ƙarƙashin abin da sabar http ke aiki har yanzu yana dacewa. Don aiwatar da irin wannan harin, kawai a sami jagora akan rukunin yanar gizon da aka saita ta amfani da umarnin "Alias" ko "ScriptAlias" (DocumentRoot bai isa ba), kamar "cgi-bin".
Baya ga wannan, ya ambaci cewa matsalar ta fi shafar ci gaba da sabunta sabuntawa (Rolling Releases) kamar Fedora, Arch Linux da Gentoo, da kuma tashoshin jiragen ruwa na FreeBSD.
Yayin da rarraba Linux waɗanda ke kan ingantattun rassan rabe -raben uwar garke kamar Debian, RHEL, Ubuntu da SUSE ba su da rauni. Matsalar ba ta bayyana ba idan an ƙi samun damar yin amfani da kundayen adireshi a sarari ta amfani da »buƙatar duk saɓanin« saitin.
Hakanan yana da daraja a faɗi hakan A watan Oktoba 6-7, Cloudflare ya rubuta fiye da ƙoƙarin 300 don amfani da raunin CVE-2021-41773 a kowace rana. Yawancin lokaci, sakamakon hare-haren kai tsaye, suna buƙatar abun cikin "/cgi-bin/.%2e/.git/config", "/cgi-bin/.%2e/app/etc/local.xml "," /Cgi-bin/.% 2e/app/etc/env.php "da" /cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd ".
Matsalar tana bayyana ne kawai a cikin sigogi 2.4.49 da 2.4.50, sigogin baya na rauni ba su shafar ba. Don gyara sabon bambancin raunin, an samar da sakin Apache httpd 2.4.51 da sauri.
Finalmente Idan kuna da sha'awar sanin game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.