Munguva pfupi yapfuura nhau dzakabvarura izvo yawana nyowani yekurwisa vector kurwisa iyo Apache http server, iyo yakaramba isina kuburitswa mune iyo 2.4.50 yekuvandudza uye inobvumira kupinda kwefaira kubva kunzvimbo dziri kunze kwesosi dhairekitori remidzi.
Uye zvakare, ivo vaongorori wawana nzira iyo, pamberi peimwe gadziriro isiri-standard, kwete chete kuverenga mafaera ehurongwa, asi zvakare mhanya iri kure kodhi yako pane server.
CVE-2021-41773 pane Apache HTTP Server 2.4.50 yakanga isina kukwana. Anorwisa anogona kushandisa nzira yekuyambuka kurwisa mepu URLs kune mafaera ari kunze kwemadirector akagadziriswa nemirairo yakafanana neAliases. Kana mafaera ari kunze kweaya madhairekitori asina kuchengetedzwa neyakajairwa default "inoda zvese zvakarambwa" marongero, izvi zvikumbiro zvinogona kubudirira. Kana zvinyorwa zveCGI zvikagoneswa pamatehwe aya akasarudzika, izvi zvinogona kubvumira kurekodha kodhi. Iyi nyaya inongobata Apache 2.4.49 uye Apache 2.4.50 uye kwete zvekare vhezheni.
Mukukosha, dambudziko nyowani (rakanyorwa kare seCVE-2021-42013) zvakanyatso fananidzwa nekusagadzikana kwekutanga (CVE-2021-41773) pa2.4.49, mutsauko chete uri mune yakasarudzika hunhu hwekodhi.
Uye ndizvo izvo kunyanya, mushanduro 2.4.50 mukana wekushandisa akateedzana "% 2e" wakavharwa kusimbisa poindi, asi hongue yakarasikirwa nemukana wekukodhi kaviri: nekutsanangudza akateedzana "%% 32% 65", sevha yakatemwa mu "% 2e", uyezve mu ".", kureva mavara "../" kuenda kudhairekitori rapfuura anogona kunyorwa se ". %% 32% 65 / ».
Ose maCVEs ari angangoita nzira imwechete yekuyambuka kunetsekana (yechipiri ndiyo isina kukwana kugadzirisa yekutanga). Nzira yekufamba-famba inoshanda chete kubva kune yakatarwa URI (semuenzaniso, kuburikidza neApache "Alias" kana "ScriptAlias" mirairo). DocumentRoot chete haina kukwana
Nezve kushandiswa kwechisimba kuburikidza nekuitwa kwekodhi, izvi zvinogoneka kana mod_cgi inogoneswa uye nzira yepasi inoshandiswa mune iyo CGI zvinyorwa zvinotenderwa kumhanya (semuenzaniso, kana iyo scriptAlias rairo inogoneswa kana iyo ExecCGI mureza yakatsanangurwa mune Sarudzo yekuraira).
Zvinotaurwa kuti chinodiwa pakurwisa kwakabudirira zvakare kupa pachena muApache yekumisikidza kuwana kune madhairekitori ane mafaira anogona, senge / bin, kana mukana kune iyo FS mudzi "/". Sezvo kuwana kwakadai kusingawanzo kupihwa, kodhi yekuuraya kurwisa haina zvayinoshandisa kumasisitimu chaiwo.
RCE inoshandisa zvese zviri zviviri zveApache 2.4.49 (CVE-2021-41773) uye 2.4.50 (CVE-2021-42013):
midzi @ CT406: ~ # curl 'http://192.168.0.191/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.% % 32% 65 / bin / sh '–data' echo Yemukati-Rudzi: zvinyorwa / pachena; kukanda kunze; enda '
uid = 1 (daemon) gid = 1 (daemon) mapoka = 1 (daemon)- ☠ Román Medina-Heigl Hernández (@roman_soft) October 7, 2021
Panguva imwecheteyo, kurwiswa kwekuwana zvemukati faira zvinopesana system makodhi uye zvinyorwa zvinyorwa zvewebhu zvinyorwa izvo zviripo pakuverenga mushandisi pasi peiyo server ye http iri kushanda ichiri kushanda. Kuti uite kurwisa kwakadai, ingova nedhairekitori pane ino saiti yakagadzirirwa uchishandisa "Alias" kana "ScriptAlias" mirairo (DocumentRoot haina kukwana), senge "cgi-bin".
Pamusoro peizvi, akataura kuti dambudziko iri rinonyanya kukanganisa kuenderera mberi kwakagadziriswa (Rolling Releases) senge Fedora, Arch Linux uye Gentoo, pamwe neFreeBSD chiteshi.
Ipo kugoverwa kweLinux uko kwakavakirwa pamatavi akatsiga ekuparadzirwa kweseva senge Debian, RHEL, Ubuntu uye SUSE haisi panjodzi. Dambudziko hariratidzike kana kuwana madhairekitori kuchirambidzwa zvakajeka uchishandisa iyo »inoda zvese zvakarambidzwa« kumisikidzwa.
Izvo zvakakodzerawo kutaura izvozvo Musi waGumiguru 6-7, Cloudflare yakanyora zvinopfuura mazana matatu ezviuru kuyedza kushandisa kusagadzikana CVE-2021-41773 pazuva. Kazhinji yenguva, semhedzisiro yekurwiswa otomatiki, vanokumbira zvirimo mu "/cgi-bin/.%2e/.git/config", "/cgi-bin/.%2e/app/etc/local.xml "," /Cgi-bin/.% 2e / app / etc / env.php "uye" /cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd ".
Dambudziko rinongoratidzika mushanduro 2.4.49 uye 2.4.50, shanduro dzekare dzekusagadzikana hadzina kukanganiswa. Kugadzirisa musiyano mutsva wekusagadzikana, iyo Apache httpd 2.4.51 kuburitswa kwakakurumidza kuumbwa.
Finalmente Kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.