Vigil@nce:Apache httpd, bypassing the authentication of mod_auth_shadow
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the authentication to a page is managed by mod_auth_shadow,
an attacker can be authenticated, even if his login/password is
invalid.
– Severity: 2/4
– Creation date: 19/04/2010
DESCRIPTION OF THE VULNERABILITY
The mod_auth_shadow Apache module authenticates users with the
/etc/shadow password file.
As Apache httpd runs with "nobody" privileges, and as the
/etc/shadow file can only be read by root, the authentication is
split in two parts:
– the suid root "validate" program receives the login/password,
reads /etc/shadow, and then returns the code 0 if the password
is valid,
– the mod_auth_shadow module creates a pipe to "validate", sends
it the login/password, and then reads the return code.
When mod_auth_shadow waits for the answer of "validate", if uses
the wait() function instead of waitpid(). If a child process of
Apache returns the code 0 before "validate", the user is thus
authenticated.
When the authentication to a page is managed by mod_auth_shadow,
an attacker can therefore be authenticated, even if his
login/password is invalid.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-httpd-bypassing-the-authentication-of-mod-auth-shadow-9595