Apache mod_digest客户提供Nonce确认漏洞

漏洞信息详情

Apache mod_digest客户提供Nonce确认漏洞

• CNNVD编号：CNNVD-200403-045
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2003-0987
  
• 漏洞类型：
  
  
  未知
  
• 发布时间：
  
  2003-07-18
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  apache
• 漏洞来源：
  Dirk-Willem van Gu…

Apache是一款流行的WEB服务程序。
Apache mod_digest模块没有充分验证针对用户提供的nonces信息，远程攻击者可以利用这个漏洞可以从其他站点伪造应答信息。
这个漏洞只有在伪造站和服务器上的用户的用户名密码相同，及实际名也相同的情况下产生，不过这种情况比较少。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 如果不需要mod_digest模块，就关闭此模块，或者使用mod_auth_digest代替。
厂商补丁：
Apache Software Foundation
————————–
Apache 1.3.30的参考补丁：

Index: include/http_core.h

===================================================================

RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v

retrieving revision 1.71

diff -u -r1.71 http_core.h

— include/http_core.h 7 Jul 2003 00:34:09 -0000 1.71

+++ include/http_core.h 18 Dec 2003 17:30:29 -0000

@@ -162,6 +162,7 @@

API_EXPORT(const char *) ap_auth_type (request_rec *);

API_EXPORT(const char *) ap_auth_name (request_rec *);

+API_EXPORT(const char *) ap_auth_nonce (request_rec *);

API_EXPORT(int) ap_satisfies (request_rec *r);

API_EXPORT(const array_header *) ap_requires (request_rec *);

@@ -244,6 +245,7 @@

int satisfy;

char *ap_auth_type;

char *ap_auth_name;

+ char *ap_auth_nonce; /* digest auth */

array_header *ap_requires;

/* Custom response config. These can contain text or a URL to redirect to.

Index: main/http_core.c

===================================================================

RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v

retrieving revision 1.327

diff -u -r1.327 http_core.c

— main/http_core.c 17 Nov 2003 17:14:53 -0000 1.327

+++ main/http_core.c 18 Dec 2003 17:30:30 -0000

@@ -236,6 +236,9 @@

if (new->ap_auth_name) {

conf->ap_auth_name = new->ap_auth_name;

}

+ if (new->ap_auth_nonce) {

+ conf->ap_auth_nonce= new->ap_auth_nonce;

+ }

if (new->ap_requires) {

conf->ap_requires = new->ap_requires;

}

@@ -577,6 +580,29 @@

return conf->ap_auth_name;

}

+API_EXPORT(const char *) ap_auth_nonce(request_rec *r)

+{

+ core_dir_config *conf;

+ conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,

+ &core_module);

+ if (conf->ap_auth_nonce)

+ return conf->ap_auth_nonce;

+

+ /* Ideally we’d want to mix in some per-directory style

+ * information; as we are likely to want to detect replay

+ * across those boundaries and some randomness. But that

+ * is harder due to the adhoc nature of .htaccess memory

+ * structures, restarts and forks.

+ *

+ * But then again – you should use AuthNonce in your config

+ * file if you care. So the adhoc value should do.

+ */

+ return ap_psprintf(r->pool,”%lu%lu%lu%lu%lu%s”,

+ *(unsigned long *)&((r->connection->local_addr).sin_addr ),

+ ap_user_name, ap_listeners, ap_server_argv0, ap_pid_fname

+ );

+}

+

API_EXPORT(const char *) ap_default_type(request_rec *r)

{

core_dir_config *conf;

@@ -2797,6 +2823,28 @@

return NULL;

}

+/*

+ * Load an authorisation nonce into our location configuration, and

+ * force it to be in the 0-9/A-Z realm.

+ */

+static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1)

+{

+ core_dir_config *aconfig = (core_dir_config *)mconfig;

+ int i;

+

+ aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1);

+

+ if (strlen(aconfig->ap_auth_nonce) > 510)

+ return “AuthNonce lenght limited to 510 chars for browser

compatibility”;

+

+ for(i=0;iap_auth_nonce );i++)(aconfig->

+ if (!ap_isalnum(aconfig->ap_auth_nonce [i]))

+ return “AuthNonce limited to 0-9 and A-Z range for browser

compatibilty”;

+

+ return NULL;

+}

+

+

#ifdef _OSD_POSIX /* BS2000 Logon Passwd file */

static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)

{

@@ -3411,6 +3459,9 @@

“An HTTP authorization type (e.g., \”Basic\”)” },

{ “AuthName”, set_authname, NULL, OR_AUTHCFG, TAKE1,

“The authentication realm (e.g. \”Members Only\”)” },

+{ “AuthNonce”, set_authnonce, NULL, OR_AUTHCFG, TAKE1,

+ “An authentication token which should be different for each logical realm. “\

+ “A random value or the servers IP may be a good choise.\n” },

{ “Require”, require, NULL, OR_AUTHCFG, RAW_ARGS,

“Selects which authenticated users or groups may access a protected space” },

{ “Satisfy”, satisfy, NULL, OR_AUTHCFG, TAKE1,

Index: main/http_protocol.c

===================================================================

RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v

retrieving revision 1.330

diff -u -r1.330 http_protocol.c

— main/http_protocol.c 3 Feb 2003 17:13:22 -0000 1.330

+++ main/http_protocol.c 18 Dec 2003 17:30:32 -0000

@@ -76,6 +76,7 @@

#include “util_date.h” /* For parseHTTPdate and BAD_DATE */

#include

#include “http_conf_globals.h”

+#include “util_md5.h” /* For digestAuth */

#define SET_BYTES_SENT(r) \

do { if (r->sent_bodyct) \

@@ -1391,11 +1392,24 @@

API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)

{

+ /* We need to create a nonce which:

+ * a) changes all the time (see r->request_time)

+ * below and

+ * b) of which we can verify that it is our own

+ * fairly easily when it comes to veryfing

+ * the digest coming back in the response.

+ * c) and which as a whole should not

+ * be unlikely to be in use anywhere else.

+ */

+ char * nonce_prefix = ap_md5(r->pool,

+ ap_psprintf(r->pool, “%s%lu”,

+ ap_auth_nonce(r), r->request_time));

+

ap_table_setn(r->err_headers_out,

r->proxyreq == STD_PROXY ? “Proxy-Authenticate”

&n

来源: XF
名称: apache-moddigest-response-replay(15041)
链接:http://xforce.iss.net/xforce/xfdb/15041

来源: BID
名称: 9571
链接:http://www.securityfocus.com/bid/9571

来源: www.mail-archive.com
链接:http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html

来源: BUGTRAQ
名称: 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108437852004207&w=2

来源: TRUSTIX
名称: 2004-0027
链接:http://www.trustix.org/errata/2004/0027

来源: REDHAT
名称: RHSA-2004:600
链接:http://www.redhat.com/support/errata/RHSA-2004-600.html

来源: www.mail-archive.com
链接:http://www.mail-archive.com/dev@httpd.apache.org/msg19014.html

来源: GENTOO
名称: GLSA-200405-22
链接:http://security.gentoo.org/glsa/glsa-200405-22.xml

来源: SLACKWARE
名称: SSA:2004-133
链接:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643

来源: REDHAT
名称: RHSA-2005:816
链接:http://www.redhat.com/support/errata/RHSA-2005-816.html

来源: MANDRAKE
名称: MDKSA-2004:046
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2004:046

来源: SUNALERT
名称: 57628
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1

来源: SUNALERT
名称: 101841
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1

来源: SUNALERT
名称: 101555
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1

来源: SECTRACK
名称: 1008920
链接:http://securitytracker.com/id?1008920

来源: US Government Resource: oval:org.mitre.oval:def:4416
名称: oval:org.mitre.oval:def:4416
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4416

来源: US Government Resource: oval:org.mitre.oval:def:100108
名称: oval:org.mitre.oval:def:100108
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:100108