CVE-2004-1082
CVSS7.5
发布时间 :2004-02-03 00:00:00
修订时间 :2008-09-05 16:40:19
NMCO    

[原文]mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials.


[CNNVD]Apache mod_digest客户提供Nonce确认漏洞(CNNVD-200402-019)

        
        Apache是一款流行的WEB服务程序。
        Apache mod_digest模块没有充分验证针对用户提供的nonces信息,远程攻击者可以利用这个漏洞可以从其他站点伪造应答信息。
        这个漏洞只有在伪造站和服务器上的用户的用户名密码相同,及实际名也相同的情况下产生,不过这种情况比较少。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sco:openserver:5.0.7
cpe:/a:apache:http_server:1.3.19Apache Software Foundation Apache HTTP Server 1.3.19
cpe:/a:apache:http_server:1.3.11Apache Software Foundation Apache HTTP Server 1.3.11
cpe:/a:apache:http_server:1.3Apache Software Foundation Apache HTTP Server 1.3
cpe:/a:hp:virtualvault:4.5HP VirtualVault 4.5
cpe:/a:apache:http_server:1.3.24Apache Software Foundation Apache HTTP Server 1.3.24
cpe:/o:sun:solaris:9.0::sparc
cpe:/a:avaya:intuity_audix_lxAvaya Intuity LX
cpe:/a:avaya:communication_manager:2.0.1Avaya Communication Manager 2.0.1
cpe:/a:avaya:communication_manager:1.3.1Avaya Communication Manager 1.3.1
cpe:/a:apache:http_server:1.3.28Apache Software Foundation Apache HTTP Server 1.3.28
cpe:/a:apache:http_server:1.3.12Apache Software Foundation Apache HTTP Server 1.3.12
cpe:/a:hp:virtualvault:4.7HP VirtualVault 4.7
cpe:/a:apache:http_server:1.3.26Apache Software Foundation Apache HTTP Server 1.3.26
cpe:/a:hp:virtualvault:4.6HP VirtualVault 4.6
cpe:/a:hp:webproxy:a.02.10HP Webproxy A.02.10
cpe:/a:apache:http_server:1.3.27Apache Software Foundation Apache HTTP Server 1.3.27
cpe:/a:avaya:communication_manager:1.1Avaya Communication Manager 1.1
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:apache:http_server:1.3.14Apache Software Foundation Apache HTTP Server 1.3.14
cpe:/a:avaya:mn100Avaya MN100
cpe:/a:apple:apache_mod_digest_appleApple mod_digest_apple
cpe:/a:apache:http_server:1.3.1Apache Software Foundation Apache HTTP Server 1.3.1
cpe:/a:apache:http_server:1.3.29Apache Software Foundation Apache HTTP Server 1.3.29
cpe:/a:apache:http_server:1.3.9Apache Software Foundation Apache HTTP Server 1.3.9
cpe:/o:sun:solaris:9.0::x86
cpe:/a:apache:http_server:1.3.4Apache Software Foundation Apache HTTP Server 1.3.4
cpe:/a:apache:http_server:1.3.6Apache Software Foundation Apache HTTP Server 1.3.6
cpe:/o:avaya:modular_messaging_message_storage_server:2.0
cpe:/a:apache:http_server:1.3.18Apache Software Foundation Apache HTTP Server 1.3.18
cpe:/a:apache:http_server:1.3.17Apache Software Foundation Apache HTTP Server 1.3.17
cpe:/a:apache:http_server:1.3.22Apache Software Foundation Apache HTTP Server 1.3.22
cpe:/a:hp:webproxy:a.02.00HP Webproxy A.02.00
cpe:/a:apache:http_server:1.3.20Apache Software Foundation Apache HTTP Server 1.3.20
cpe:/o:sco:openserver:5.0.6
cpe:/a:avaya:communication_manager:2.0Avaya Communication Manager 2.0
cpe:/o:openbsd:openbsd:current
cpe:/o:avaya:modular_messaging_message_storage_server:1.1
cpe:/a:apache:http_server:1.3.25Apache Software Foundation Apache HTTP Server 1.3.25
cpe:/a:apache:http_server:1.3.3Apache Software Foundation Apache HTTP Server 1.3.3
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/o:sun:solaris:8.0::x86
cpe:/a:ibm:http_server:1.3.19IBM IBM HTTP Server 1.3.19
cpe:/a:apache:http_server:1.3.7::dev
cpe:/a:avaya:network_routingAvaya Network Routing
cpe:/a:apache:http_server:1.3.23Apache Software Foundation Apache HTTP Server 1.3.23

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1082
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1082
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-019
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/18347
(VENDOR_ADVISORY)  XF  macos-moddigest-response-replay(18347)
http://www.securitytracker.com/alerts/2004/Dec/1012414.html
(VENDOR_ADVISORY)  SECTRACK  1012414
http://www.securityfocus.com/bid/9571
(VENDOR_ADVISORY)  BID  9571
http://www.ciac.org/ciac/bulletins/p-049.shtml
(VENDOR_ADVISORY)  CIAC  P-049
http://lists.apple.com/archives/security-announce/2004/Dec/msg00000.html
(VENDOR_ADVISORY)  APPLE  APPLE-SA-2004-12-02

- 漏洞信息

Apache mod_digest客户提供Nonce确认漏洞
高危 访问验证错误
2004-02-03 00:00:00 2006-08-31 00:00:00
远程  
        
        Apache是一款流行的WEB服务程序。
        Apache mod_digest模块没有充分验证针对用户提供的nonces信息,远程攻击者可以利用这个漏洞可以从其他站点伪造应答信息。
        这个漏洞只有在伪造站和服务器上的用户的用户名密码相同,及实际名也相同的情况下产生,不过这种情况比较少。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果不需要mod_digest模块,就关闭此模块,或者使用mod_auth_digest代替。
        厂商补丁:
        Apache Software Foundation
        --------------------------
        Apache 1.3.30的参考补丁:
        Index: include/http_core.h
        ===================================================================
        RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v
        retrieving revision 1.71
        diff -u -r1.71 http_core.h
        --- include/http_core.h 7 Jul 2003 00:34:09 -0000 1.71
        +++ include/http_core.h 18 Dec 2003 17:30:29 -0000
        @@ -162,6 +162,7 @@
         API_EXPORT(const char *) ap_auth_type (request_rec *);
         API_EXPORT(const char *) ap_auth_name (request_rec *);
        +API_EXPORT(const char *) ap_auth_nonce (request_rec *);
         API_EXPORT(int) ap_satisfies (request_rec *r);
         API_EXPORT(const array_header *) ap_requires (request_rec *);
        @@ -244,6 +245,7 @@
         int satisfy;
         char *ap_auth_type;
         char *ap_auth_name;
        + char *ap_auth_nonce; /* digest auth */
         array_header *ap_requires;
         /* Custom response config. These can contain text or a URL to redirect to.
        Index: main/http_core.c
        ===================================================================
        RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
        retrieving revision 1.327
        diff -u -r1.327 http_core.c
        --- main/http_core.c 17 Nov 2003 17:14:53 -0000 1.327
        +++ main/http_core.c 18 Dec 2003 17:30:30 -0000
        @@ -236,6 +236,9 @@
         if (new->ap_auth_name) {
         conf->ap_auth_name = new->ap_auth_name;
         }
        + if (new->ap_auth_nonce) {
        + conf->ap_auth_nonce= new->ap_auth_nonce;
        + }
         if (new->ap_requires) {
         conf->ap_requires = new->ap_requires;
         }
        @@ -577,6 +580,29 @@
         return conf->ap_auth_name;
         }
        +API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
        +{
        + core_dir_config *conf;
        + conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
        + &core_module);
        + if (conf->ap_auth_nonce)
        + return conf->ap_auth_nonce;
        +
        + /* Ideally we'd want to mix in some per-directory style
        + * information; as we are likely to want to detect replay
        + * across those boundaries and some randomness. But that
        + * is harder due to the adhoc nature of .htaccess memory
        + * structures, restarts and forks.
        + *
        + * But then again - you should use AuthNonce in your config
        + * file if you care. So the adhoc value should do.
        + */
        + return ap_psprintf(r->pool,"%lu%lu%lu%lu%lu",
        + *(unsigned long *)&((r->connection->local_addr).sin_addr ),
        + ap_user_name, ap_listeners, ap_server_argv0, ap_pid_fname
        + );
        +}
        +
         API_EXPORT(const char *) ap_default_type(request_rec *r)
         {
         core_dir_config *conf;
        @@ -2797,6 +2823,28 @@
         return NULL;
         }
        +/*
        + * Load an authorisation nonce into our location configuration, and
        + * force it to be in the 0-9/A-Z realm.
        + */
        +static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1)
        +{
        + core_dir_config *aconfig = (core_dir_config *)mconfig;
        + int i;
        +
        + aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1);
        +
        + if (strlen(aconfig->ap_auth_nonce) > 510)
        + return "AuthNonce lenght limited to 510 chars for browser
        compatibility";
        +
        + for(i=0;iap_auth_nonce );i++)
        + if (!ap_isalnum(aconfig->ap_auth_nonce [i]))
        + return "AuthNonce limited to 0-9 and A-Z range for browser
        compatibilty";
        +
        + return NULL;
        +}
        +
        +
         #ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
         static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)
         {
        @@ -3411,6 +3459,9 @@
         "An HTTP authorization type (e.g., \"Basic\")" },
         { "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
         "The authentication realm (e.g. \"Members Only\")" },
        +{ "AuthNonce", set_authnonce, NULL, OR_AUTHCFG, TAKE1,
        + "An authentication token which should be different for each logical realm. "\
        + "A random value or the servers IP may be a good choise.\n" },
         { "Require", require, NULL, OR_AUTHCFG, RAW_ARGS,
         "Selects which authenticated users or groups may access a protected space" },
         { "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1,
        Index: main/http_protocol.c
        ===================================================================
        RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
        retrieving revision 1.330
        diff -u -r1.330 http_protocol.c
        --- main/http_protocol.c 3 Feb 2003 17:13:22 -0000 1.330
        +++ main/http_protocol.c 18 Dec 2003 17:30:32 -0000
        @@ -76,6 +76,7 @@
         #include "util_date.h" /* For parseHTTPdate and BAD_DATE */
         #include
         #include "http_conf_globals.h"
        +#include "util_md5.h" /* For digestAuth */
         #define SET_BYTES_SENT(r) \
         do { if (r->sent_bodyct) \
        @@ -1391,11 +1392,24 @@
         API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
         {
        + /* We need to create a nonce which:
        + * a) changes all the time (see r->request_time)
        + * below and
        + * b) of which we can verify that it is our own
        + * fairly easily when it comes to veryfing
        + * the digest coming back in the response.
        + * c) and which as a whole should not
        + * be unlikely to be in use anywhere else.
        + */
        + char * nonce_prefix = ap_md5(r->pool,
        + ap_psprintf(r->pool, "%lu",
        + ap_auth_nonce(r), r->request_time));
        +
         ap_table_setn(r->err_headers_out,
         r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
         &n

- 漏洞信息

12176
mod_digest_apple for Apache HTTP Server on Mac OS X Authentication Replay
Remote / Network Access Authentication Management, Cryptographic
Loss of Confidentiality, Loss of Integrity
Exploit Unknown

- 漏洞描述

Apache included with Mac OS X Server contains a flaw that may allow a malicious user to authenticate to the web server by replaying a successful valid login. The issue is triggered when mod_digest_apple fails to validate security tokens for the session. It is possible that the flaw may allow unauthorized access resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-12-02 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站