漏洞信息详情
Apache mod_digest客户提供Nonce确认漏洞
- CNNVD编号:CNNVD-200402-019
- 危害等级: 高危
- CVE编号: CVE-2004-1082
- 漏洞类型: 访问验证错误
- 发布时间: 2003-07-18
- 威胁类型: 远程
- 更新时间: 2006-08-31
- 厂 商: sun
- 漏洞来源: Dirk-Willem van Gu...
漏洞简介
Apache是一款流行的WEB服务程序。 Apache mod_digest模块没有充分验证针对用户提供的nonces信息,远程攻击者可以利用这个漏洞可以从其他站点伪造应答信息。 这个漏洞只有在伪造站和服务器上的用户的用户名密码相同,及实际名也相同的情况下产生,不过这种情况比较少。
漏洞公告
临时解决方法: 如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 如果不需要mod_digest模块,就关闭此模块,或者使用mod_auth_digest代替。 厂商补丁: Apache Software Foundation -------------------------- Apache 1.3.30的参考补丁:
Index: include/http_core.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v
retrieving revision 1.71
diff -u -r1.71 http_core.h
--- include/http_core.h 7 Jul 2003 00:34:09 -0000 1.71
+++ include/http_core.h 18 Dec 2003 17:30:29 -0000
@@ -162,6 +162,7 @@
API_EXPORT(const char *) ap_auth_type (request_rec *);
API_EXPORT(const char *) ap_auth_name (request_rec *);
+API_EXPORT(const char *) ap_auth_nonce (request_rec *);
API_EXPORT(int) ap_satisfies (request_rec *r);
API_EXPORT(const array_header *) ap_requires (request_rec *);
@@ -244,6 +245,7 @@
int satisfy;
char *ap_auth_type;
char *ap_auth_name;
+ char *ap_auth_nonce; /* digest auth */
array_header *ap_requires;
/* Custom response config. These can contain text or a URL to redirect to.
Index: main/http_core.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.327
diff -u -r1.327 http_core.c
--- main/http_core.c 17 Nov 2003 17:14:53 -0000 1.327
+++ main/http_core.c 18 Dec 2003 17:30:30 -0000
@@ -236,6 +236,9 @@
if (new->ap_auth_name) {
conf->ap_auth_name = new->ap_auth_name;
}
+ if (new->ap_auth_nonce) {
+ conf->ap_auth_nonce= new->ap_auth_nonce;
+ }
if (new->ap_requires) {
conf->ap_requires = new->ap_requires;
}
@@ -577,6 +580,29 @@
return conf->ap_auth_name;
}
+API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
+{
+ core_dir_config *conf;
+ conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
+ &core_module);
+ if (conf->ap_auth_nonce)
+ return conf->ap_auth_nonce;
+
+ /* Ideally we'd want to mix in some per-directory style
+ * information; as we are likely to want to detect replay
+ * across those boundaries and some randomness. But that
+ * is harder due to the adhoc nature of .htaccess memory
+ * structures, restarts and forks.
+ *
+ * But then again - you should use AuthNonce in your config
+ * file if you care. So the adhoc value should do.
+ */
+ return ap_psprintf(r->pool,"%lu%lu%lu%lu%lu%s",
+ *(unsigned long *)&((r->connection->local_addr).sin_addr ),
+ ap_user_name, ap_listeners, ap_server_argv0, ap_pid_fname
+ );
+}
+
API_EXPORT(const char *) ap_default_type(request_rec *r)
{
core_dir_config *conf;
@@ -2797,6 +2823,28 @@
return NULL;
}
+/*
+ * Load an authorisation nonce into our location configuration, and
+ * force it to be in the 0-9/A-Z realm.
+ */
+static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1)
+{
+ core_dir_config *aconfig = (core_dir_config *)mconfig;
+ int i;
+
+ aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1);
+
+ if (strlen(aconfig->ap_auth_nonce) > 510)
+ return "AuthNonce lenght limited to 510 chars for browser
compatibility";
+
+ for(i=0;i
+ if (!ap_isalnum(aconfig->ap_auth_nonce [i]))
+ return "AuthNonce limited to 0-9 and A-Z range for browser
compatibilty";
+
+ return NULL;
+}
+
+
#ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)
{
@@ -3411,6 +3459,9 @@
"An HTTP authorization type (e.g., \"Basic\")" },
{ "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
"The authentication realm (e.g. \"Members Only\")" },
+{ "AuthNonce", set_authnonce, NULL, OR_AUTHCFG, TAKE1,
+ "An authentication token which should be different for each logical realm. "\
+ "A random value or the servers IP may be a good choise.\n" },
{ "Require", require, NULL, OR_AUTHCFG, RAW_ARGS,
"Selects which authenticated users or groups may access a protected space" },
{ "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1,
Index: main/http_protocol.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.330
diff -u -r1.330 http_protocol.c
--- main/http_protocol.c 3 Feb 2003 17:13:22 -0000 1.330
+++ main/http_protocol.c 18 Dec 2003 17:30:32 -0000
@@ -76,6 +76,7 @@
#include "util_date.h" /* For parseHTTPdate and BAD_DATE */
#include
#include "http_conf_globals.h"
+#include "util_md5.h" /* For digestAuth */
#define SET_BYTES_SENT(r) \
do { if (r->sent_bodyct) \
@@ -1391,11 +1392,24 @@
API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
{
+ /* We need to create a nonce which:
+ * a) changes all the time (see r->request_time)
+ * below and
+ * b) of which we can verify that it is our own
+ * fairly easily when it comes to veryfing
+ * the digest coming back in the response.
+ * c) and which as a whole should not
+ * be unlikely to be in use anywhere else.
+ */
+ char * nonce_prefix = ap_md5(r->pool,
+ ap_psprintf(r->pool, "%s%lu",
+ ap_auth_nonce(r), r->request_time));
+
ap_table_setn(r->err_headers_out,
r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
&n
参考网址
来源: XF 名称: macos-moddigest-response-replay(18347) 链接:http://xforce.iss.net/xforce/xfdb/18347 来源: SECTRACK 名称: 1012414 链接:http://www.securitytracker.com/alerts/2004/Dec/1012414.HTML 来源: BID 名称: 9571 链接:http://www.securityfocus.com/bid/9571 来源: CIAC 名称: P-049 链接:http://www.ciac.org/ciac/bulletins/p-049.sHTML 来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple 名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2004-12-02 链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2004/Dec/msg00000.HTML
受影响实体
- Sun Solaris:9.0:X86
- Sun Solaris:8.0
- Sun Solaris:8.0:X86
- Sun Solaris:9.0:Sparc
补丁
暂无
评论