[UNIX] Vulnerabilities in Several Apache Authentication Modules

From: support@securiteam.com
Date: 08/30/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Vulnerabilities in Several Apache Authentication Modules
Message-Id: <20010830161346.32C7D138BF@mail.der-keiler.de>
Date: Thu, 30 Aug 2001 18:13:46 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Vulnerabilities in Several Apache Authentication Modules
------------------------------------------------------------------------

SUMMARY

RUS-CERT has discovered that several Apache authentication modules that
use SQL databases to store authentication information are vulnerable to a
remote SQL code injection attack.

DETAILS

Vulnerable systems:
Any Apache server using database-based authentication with the following
modules:
 * AuthPG 1.2b2 by Min S. Kim (also known as mod_auth_pg)
 * mod_auth_mysql 1.9 by Vivek Khera
 * mod_auth_oracle 0.5.1 by Serg Oskin
 * mod_auth_pgsql 0.9.5 by Guiseppe Tanzilli and Matthias Eckermann
 * mod_auth_pgsql_sys 0.9.4 (by the same authors, modifications by Victor
Glushchenko)

It is possible that other authentication modules not listed above are
affected.

Immune systems:
RUS-CERT has examined the following authentication modules and verified
that an Apache server using these modules is not vulnerable to the problem
described in this document:

 * mod_auth_mysql 2.20 by Zeev Suraski
 * mod_auth_ora7 1.0 by Ben Reser
 * mod_auth_ora8 1.0 by Ben Reser

Impact:
In the case of the PostgreSQL modules, an attacker can execute arbitrary
SQL statements or cause the database query for the password to return
arbitrary data. As a result, unauthorized access to the web server is
possible.

With the Oracle module, the attacker can call stored procedures and cause
the database query for the password to return arbitrary data. The impact
with MySQL is currently unclear, but with the advent of stored procedures,
harmful side effects might become possible as well.

Vulnerability type:
SQL code insertion attack

Description:
During the authentication process, the password hash has to be looked up
in the database, so a SQL SELECT statement has to be built. In the
vulnerable modules, this is done using code equivalent to the following
pseudo code:

Query := Sprintf ("SELECT %s FROM %s WHERE %s = '%s'", Password_Column,
User_Table, User_Column, User);

Later on, the retrieved password hash is compared with the one supplied by
the user trying to authenticate.

However, the value of User has been received over the network. Suppose an
attacker chooses the string (note the single quotation mark at the
beginning):

'; SELECT 'wA8aGH92dPQnIDD

Now the resulting string contains two SQL statements:

SELECT password_column FROM user_table WHERE user_column = ''; SELECT
'wA8aGH92dPQnIDD'

PostgreSQL's libpq client library will transmit both statements to the
PostgreSQL server. The server will execute both statements and return the
result of the second to the client. This way, an attacker can make it
appear to the authentication code that the database contains the proper
hash for the password it just has provided. Other forms of attacks are
possible by issuing INSERT or DELETE statements in essentially the same
manner, of course.

In the MySQL and Oracle cases, the impact of the vulnerability is
different. Oracle does not seem to allow multiple SQL statements per
query, but using a UNION clause to add additional data seems to be
possible, so the attack given above can be duplicated. In addition, stored
procedures can be called, with a potential for harmful side effects. There
is no definite answer if the vulnerability is exploitable if a MySQL
database is used, since MySQL supports neither UNION clauses nor stored
procedures.
 
Proposed solution:
PostgreSQL
RUS-CERT believes that the fact that the essentially the same
vulnerability is present in many PostgreSQL applications is related to the
lack of a suitable string quoting function in the PostgreSQL client
library (and not just to code reuse and overlap among the authors).

Therefore, RUS-CERT proposes that a function that escapes characters
treated specially by the PostgreSQL by replacing them with safe character
sequences is included in the PostgreSQL client library. RUS-CERT provides
a mostly untested sample implementation:

* Escaping Strings in PostgreSQL Queries (
<http://cert.uni-stuttgart.de/doc/postgresql/escape/>
http://cert.uni-stuttgart.de/doc/postgresql/escape/)

Some of the fixed versions below already implement this suggestion.

MySQL and Oracle
Both the MySQL and Oracle client libraries provide a suitable function for
quoting strings in SQL queries. The authentication modules that are not
vulnerable (see above) use them, so we propose to use these modules, or
the fixed versions below.

Patched versions:
Several authors have already reacted and released new versions:
 * AuthPG 1.3 by Min S. Kim ( <http://authpg.sourceforge.net/>
http://authpg.sourceforge.net/)
 * mod_auth_mysql 1.10 by Vivek Khera ( <ftp://ftp.kcilink.com/pub/>
ftp://ftp.kcilink.com/pub/)
 * mod_auth_pgsql 0.9.6 by Guiseppe Tanzilli (
<http://www.giuseppetanzilli.it/mod_auth_pgsql/dist/>
http://www.giuseppetanzilli.it/mod_auth_pgsql/dist/)
    
Serg Oskin has announced a fixed version as well.

Vendor status:
RUS-CERT contacted the authors of the vulnerable authentication modules on
2001-08-23.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Florian.Weimer@RUS.Uni-Stuttgart.DE> Florian Weimer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SQL Injection in Cisco CallManager
    ... A SQL injection vulnerability exists in the Log On page of the web ... interface for Cisco CallManager AKA Unified Communications Manager. ... unauthenticated attacker who is able to access the Log On page could ...
    (Bugtraq)
  • SQL injection in SweetRice CMS
    ... Vulnerability Type: SQL Injection ... Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. ...
    (Bugtraq)
  • SQL Injection in HTML-EDIT CMS
    ... Vulnerability Type: SQL Injection ... Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. ...
    (Bugtraq)
  • SQL Injection in CLANSPHERE
    ... Vulnerability Type: SQL Injection ... Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. ...
    (Bugtraq)
  • SQL injection in CompactCMS
    ... Vulnerability Type: SQL Injection ... Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. ...
    (Bugtraq)