CVE-2005-2963
CVSS7.5
发布时间 :2005-10-13 17:02:00
修订时间 :2008-09-05 16:53:06
NMCOPS    

[原文]The mod_auth_shadow module 1.0 through 1.5 and 2.0 for Apache with AuthShadow enabled uses shadow authentication for all locations that use the require group directive, even when other authentication mechanisms are specified, which might allow remote authenticated users to bypass security restrictions.


[CNNVD]Apache Mod_Auth_Shadow 认证绕过漏洞(CNNVD-200510-075)

        mod-auth-shadow是Apache HTTP Server用于认证/etc/shadow文件的模块。
        mod_auth_shadow module 1.0,1.5 到 2.0如果启用了AuthShadow的话,则mod_auth_shadow模块会对所有使用require group指令的位置都使用shadow认证,即使已经指定了其他的认证机制,这个允许远程认证用户绕过安全限制。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mod_auth_shadow:mod_auth_shadow:2.0
cpe:/a:mod_auth_shadow:mod_auth_shadow:1.2
cpe:/a:mod_auth_shadow:mod_auth_shadow:1.3
cpe:/a:mod_auth_shadow:mod_auth_shadow:1.4
cpe:/a:mod_auth_shadow:mod_auth_shadow:1.1
cpe:/a:mod_auth_shadow:mod_auth_shadow:1.0
cpe:/a:mod_auth_shadow:mod_auth_shadow:1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2963
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2963
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-075
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/22520
(PATCH)  XF  modauthshadow-require-group-bypass-security(22520)
http://www.debian.org/security/2005/dsa-844
(VENDOR_ADVISORY)  DEBIAN  DSA-844
http://secunia.com/advisories/17060/
(VENDOR_ADVISORY)  SECUNIA  17060
http://www.securityfocus.com/bid/15224
(UNKNOWN)  BID  15224
http://www.osvdb.org/19863
(UNKNOWN)  OSVDB  19863
http://secunia.com/advisories/17348
(UNKNOWN)  SECUNIA  17348
http://secunia.com/advisories/17067
(UNKNOWN)  SECUNIA  17067
http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:200
(UNKNOWN)  MANDRIVA  MDKSA-2005:200
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323789
(UNKNOWN)  MISC  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323789

- 漏洞信息

Apache Mod_Auth_Shadow 认证绕过漏洞
高危 设计错误
2005-10-13 00:00:00 2005-10-20 00:00:00
远程  
        mod-auth-shadow是Apache HTTP Server用于认证/etc/shadow文件的模块。
        mod_auth_shadow module 1.0,1.5 到 2.0如果启用了AuthShadow的话,则mod_auth_shadow模块会对所有使用require group指令的位置都使用shadow认证,即使已经指定了其他的认证机制,这个允许远程认证用户绕过安全限制。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://xforce.iss.net/xforce/xfdb/22520

- 漏洞信息 (F40456)

Debian Linux Security Advisory 844-1 (PacketStormID:F40456)
2005-10-06 00:00:00
Debian  security.debian.org
advisory,web
linux,debian
CVE-2005-2963
[点击下载]

Debian Security Advisory DSA 844-1 - A vulnerability in mod_auth_shadow, an Apache module that lets users perform HTTP authentication against /etc/shadow, has been discovered. The module runs for all locations that use the 'require group' directive which would bypass access restrictions controlled by another authorization mechanism, such as AuthGroupFile file, if the username is listed in the password file and in the gshadow file in the proper group and the supplied password matches against the one in the shadow file.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 844-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 5th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mod-auth-shadow
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2963
Debian Bug     : 323789

A vulnerability in mod_auth_shadow, an Apache module that lets users
perform HTTP authentication against /etc/shadow, has been discovered.
The module runs for all locations that use the 'require group'
directive which would bypass access restrictions controlled by another
authorisation mechanism, such as AuthGroupFile file, if the username
is listed in the password file and in the gshadow file in the proper
group and the supplied password matches against the one in the shadow
file.

This update requires an explicit "AuthShadow on" statement if website
authentication should be checked against /etc/shadow.

For the old stable distribution (woody) this problem has been fixed in
version 1.3-3.1woody.2.

For the stable distribution (sarge) this problem has been fixed in
version 1.4-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.4-2.

We recommend that you upgrade your libapache-mod-auth-shadow package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.dsc
      Size/MD5 checksum:      628 78a6276d158c96247f87c2a82ad337c9
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.diff.gz
      Size/MD5 checksum:     5818 e57059b3d026f4490e83ef48e7c64551
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
      Size/MD5 checksum:     7476 3ad4432193ac603049ad0f2fa94f2054

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_alpha.deb
      Size/MD5 checksum:    12204 4f659abcf88fe710a35c09a24f6294d4

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_arm.deb
      Size/MD5 checksum:    11306 ed1b93be804e3233000e7bc9951ee836

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_i386.deb
      Size/MD5 checksum:    11334 a384bb22d08d3d8ad2ee76803517866f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_ia64.deb
      Size/MD5 checksum:    13488 63798f86c1cd944d5f635890b1ae7edb

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_hppa.deb
      Size/MD5 checksum:    12048 cea187ef3898639b248c9b6f8b36e7a0

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_m68k.deb
      Size/MD5 checksum:    11302 8887098ee92b1be61470b8a00ac72df9

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mips.deb
      Size/MD5 checksum:    11466 9846f15f1c98a3cbb01b12d8e8563d93

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mipsel.deb
      Size/MD5 checksum:    11458 d2ae47a2320ef6a8b45aa2354c9eebe9

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_powerpc.deb
      Size/MD5 checksum:    11372 1ce0c98e16ea699726c0e45b98de5ec6

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_s390.deb
      Size/MD5 checksum:    11516 e92c004036842d0f6f79b0e5d9f64455

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_sparc.deb
      Size/MD5 checksum:    14484 524248ef32be0bffef4dcc147eece09b


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.dsc
      Size/MD5 checksum:      618 8a413e53ca39d904d95dccd1b0705693
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.diff.gz
      Size/MD5 checksum:     5816 4b010699db55a2c3446e71cc4af6e167
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4.orig.tar.gz
      Size/MD5 checksum:     7982 7da6ea1d72640c334fefab4e078eadd4

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_alpha.deb
      Size/MD5 checksum:    13462 9a035f44ccbfec2ddedeb97ba25de685

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_amd64.deb
      Size/MD5 checksum:    12978 ffdd9eab120efbd6ad58befb069ead8d

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_arm.deb
      Size/MD5 checksum:    12332 20edffd17e6cfed8bf60d50f0cf918da

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_i386.deb
      Size/MD5 checksum:    12426 7e27802cc15e0478e06f00cff72c4133

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_ia64.deb
      Size/MD5 checksum:    14444 b1a34f75958df70ee4566445ceb80a26

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_hppa.deb
      Size/MD5 checksum:    13602 448068ac275fe81e7ba0d997b8bc3566

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_m68k.deb
      Size/MD5 checksum:    12258 ae4ef5bdca2baaeb0067cf908e57ac09

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mips.deb
      Size/MD5 checksum:    13238 e0a0f68fb3a164bc80607ba974a05f3d

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mipsel.deb
      Size/MD5 checksum:    13248 24218030e050490cbe0578474ec46403

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_powerpc.deb
      Size/MD5 checksum:    14120 85d7a92000946e11db7ae213960c4927

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_s390.deb
      Size/MD5 checksum:    12964 46951fcacb6c99c779e31c7aa21d8bf3

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_sparc.deb
      Size/MD5 checksum:    12300 e05d59189d387427c9017180631aeba4


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDQ5unW5ql+IAeqTIRAs+2AJ9lZmcpDasrDXY+dq195W7gdvJSRgCggXNF
JL5rdx9NuQ2DbdQkwVc1acM=
=kiFO
-----END PGP SIGNATURE-----

    

- 漏洞信息

19863
mod_auth_shadow for Apache HTTP Server require group Authentication Bypass
Remote / Network Access Authentication Management
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

The Apache mod_auth_shadow module contains a flaw that may allow a remote attacker to bypass authentication. The issue is triggered when mod_auth_shadow turns itself on and cannot be turned off whenever "require group" is used. This makes it impossible to use any other authentication modules with "require group". This flaw may lead to a loss of integrity.

- 时间线

2005-10-05 2005-08-05
2005-08-05 Unknow

- 解决方案

Upgrade to version 1.5 or higher or to version 2.1 or higher, as it has been reported to fix this vulnerability. In addition, Debian has released a patch for some older versions of mod_auth_shadow.

- 相关参考

- 漏洞作者

- 漏洞信息

Apache Mod_Auth_Shadow Authentication Bypass Vulnerability
Design Error 15224
Yes No
2005-10-27 12:00:00 2009-07-12 05:56:00
David Herselman is credited with the discovery of this vulnerability.

- 受影响的程序版本

mod_auth_shadow mod_auth_shadow 2.0
mod_auth_shadow mod_auth_shadow 1.4
mod_auth_shadow mod_auth_shadow 1.3
mod_auth_shadow mod_auth_shadow 1.2
mod_auth_shadow mod_auth_shadow 1.1
mod_auth_shadow mod_auth_shadow 1.0
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
mod_auth_shadow mod_auth_shadow 2.1
mod_auth_shadow mod_auth_shadow 1.5

- 不受影响的程序版本

mod_auth_shadow mod_auth_shadow 2.1
mod_auth_shadow mod_auth_shadow 1.5

- 漏洞讨论

mod_auth_shadow is prone to a vulnerability that may bypass expected authentication routines.

An attacker can exploit this vulnerability to bypass security restrictions and gain access to possibly sensitive or privileged information. Information obtained may be used in further attacks against the underlying system; other attacks are also possible.

- 漏洞利用

No exploit is required.

- 解决方案

Debian Linux has released security advisory DSA-844-1 addressing this issue. Please see the referenced advisory for further information.

Mandriva Linux has released security advisory MDKSA-2005:200 addressing this issue. Please see the referenced advisory for further information.

The vendor has address this issue in mod_auth_shadow version 1.5 and 2.1:


mod_auth_shadow mod_auth_shadow 1.0

mod_auth_shadow mod_auth_shadow 1.1

mod_auth_shadow mod_auth_shadow 1.2

mod_auth_shadow mod_auth_shadow 1.3

mod_auth_shadow mod_auth_shadow 1.4

mod_auth_shadow mod_auth_shadow 2.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站