Vulnerabilities > CVE-2003-0084 - Remote Command Execution vulnerability in MOD Auth ANY MOD Auth ANY 1.2.2

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2003:114. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(12383);
  script_version ("1.26");
  script_cvs_date("Date: 2019/10/25 13:36:10");

  script_cve_id("CVE-2003-0084");
  script_xref(name:"RHSA", value:"2003:114");

  script_name(english:"RHEL 2.1 : mod_auth_any (RHSA-2003:114)");
  script_summary(english:"Checks the rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated mod_auth_any packages are available for Red Hat Enterprise
Linux. These updated packages fix vulnerabilities associated with the
manner in which mod_auth_any escapes shell arguments when calling
external programs.

The Web server module mod_auth_any allows the Apache httpd server to
call arbitrary external programs to verify user passwords.

Vulnerabilities have been found in versions of mod_auth_any included
in Red Hat Enterprise Linux concerning the method by which
mod_auth_any escapes shell arguments when calling external programs.
These vulnerabilities allow remote attackers to run arbitrary commands
as the user under which the Web server is running. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2003-0084 to these issues.

All users are advised to upgrade to these errata packages, which
change the method by which external programs are invoked and,
therefore, make these programs invulnerable to these issues.

Red Hat would like to thank Daniel Jarboe and Maneesh Sahani for
bringing these issues to our attention."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2003-0084"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2003:114"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected mod_auth_any package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_auth_any");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2003/04/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2003:114";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mod_auth_any-1.2.2-2")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_auth_any");
  }
}

#
# (C) Tenable Network Security, Inc.
#

# Ref:
#
# From: Mario Sergio Fujikawa Ferreira <[email protected]>
# Date: Mon, 24 Mar 2003 20:23:11 -0800 (PST)
# To: [email protected], [email protected],
#         [email protected]
# Subject: cvs commit: ports/www/mod_auth_any Makefile ports/www/mod_auth_any/files
#         bash_single_quote_escape_string.c patch-mod_auth_any.c


include("compat.inc");

if(description)
{
 script_id(11481);
 script_version("1.28");
 script_cve_id("CVE-2003-0084");
 script_bugtraq_id(7448);
 script_xref(name:"RHSA", value:"2003:113-01");

 script_name(english:"mod_auth_any for Apache Metacharacter Remote Command Execution");
 
 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code may be run on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote host seems to be running mod_auth_any, an Apache Module
which allows the use of third-party authentication programs.

This module does not properly escape shell characters when a
username is supplied, and therefore an attacker may use this module
to :
 - Execute arbitrary commands on the remote host
 - Bypass the authentication process completely" );
 script_set_attribute(attribute:"solution", value:
"Patch mod_auth_any or disable it." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"see_also", value:"http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_auth_any/files/" );

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/02/10");
 script_cvs_date("Date: 2018/07/14  1:59:37");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Attempts to log into the remote web server");
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english: "Web Servers");
 script_dependencie("no404.nasl", "http_version.nasl", "webmirror.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("www/apache");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if ( report_paranoia < 2 )
{
 banner = get_http_banner(port:port);
 if ("Apache" >!< banner ) exit(0, "The web server on port "+port+ "is not Apache.");
}

pages = get_kb_list(string("www/", port, "/content/auth_required"));
if (isnull(pages)) exit(0, "No protected pages were found on port "+port+".");
pages = make_list(pages);

foreach file (pages)
{
 r = http_send_recv3(port:port, method: "GET", item: file, username: "", password: "", exit_on_fail: 1);
 before = strcat(r[0], r[1], '\r\n', r[2]);
 debug_print('1st req on port ', port, '\n', before, '\n');
 
 if (ereg(pattern:"^HTTP/[0-9]\.[0-9] 40[13] .*", string: r[0]))
 {
  # Jzo= -> ':
  r = http_send_recv3(port:port, method: "GET", item: file, username: "", password: "", add_headers: make_array('Authorization', 'Basic Jzo='), exit_on_fail: 1);
  if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string: r[0]))
  {
   # YTpi -> a:b
   r2 = http_send_recv3(port:port, method: "GET", item: file, username: "", password: "", add_headers: make_array('Authorization', 'Basic YTpi'), exit_on_fail: 1);
   if ( r2[0] == r[0] ) # We got a 200 error code in both cases, make sure it's not a FP
   {
    if (report_paranoia < 2)
     exit(1, "This flaw cannot be tested reliably as we got a 200 reply to "+
build_url(port: port, qs: file, username:'a', password:'b'));

    if ( strlen(r2[2]) == 0 && strlen(r[2]) == 0 ) exit(0);
    if ( r2[2] == r[2] ) exit(0);
   }

    res = strcat(r[0], r[1], '\r\n', r[2]);
    debug_print('2nd req on port ', port, '\n', res, '\n');
   security_hole(port:port, extra:
'A plain request for \'' + file + '\' gives the following output :\n' 
+ beginning_of_response(resp: before, max_lines: 50)
+ '\n\nwhile a specially crafted request produces :\n' 
+ beginning_of_response(resp: res, max_lines: 50) );
   exit(0);
  }
 }
}