diff --git a/SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch b/SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch new file mode 100644 index 0000000..23e4ac8 --- /dev/null +++ b/SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch @@ -0,0 +1,80 @@ +From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001 +From: John Dennis +Date: Tue, 5 Mar 2019 10:15:48 +0100 +Subject: [PATCH] Modify am_handler setup to run before mod_proxy + +The way the ECP flow works is that when a client initiates the flow, the +SP's response is HTTP 200, but not the requested content, but a signed XML +document that contains the "samlp:AuthnRequest" element. The idea is that +the ECP client would then determine the IDP and send the document to the +IDP, get a samlp:Response and convey that to the SP to get access to the +protected resource. + +Internally, the auth check which is normally done with am_check_uid() set to +apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends +to authenticate the user. Then in the usual flow, the request reaches the +ap_hook_handler which handles the request. There in the pipeline, mellon +registers functions am_handler() which should run first (APR_HOOK_FIRST), +determine that this request is an ECP one and return the ECP AuthnRequest +document. But in case the proxy module is also in the picture, the proxy +module "races" for who gets to be the first to handle the request in the +pipeline and wins. Therefore, the request reaches the protected resource +via mod_proxy and returns it. + +This fix modifies the ap_hook_handler() call to explicitly run before +handlers from mod_proxy.c + +To reproduce the bug: +0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I + guess). In the example below, my SAML SP is saml.federation.test +1) Set a Location protected by mellon that proxies requests to another + URL. For example: + + ProxyPass /sp-proxy http://app.federation.test/example_app/ + + AuthType Mellon + MellonEnable auth + Require valid-user + + +2) call: + curl -L -H "Accept: application/vnd.paos+xml" \ + -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \ + http://saml.federation.test/sp-proxy + +Before the patch, you would see whatever is served from the proxied +page. With the patch, you should get back a XML document with a +samlp:AuthnRequest. +--- + mod_auth_mellon.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c +index 74bd328..5330f48 100644 +--- a/mod_auth_mellon.c ++++ b/mod_auth_mellon.c +@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r) + + static void register_hooks(apr_pool_t *p) + { ++ /* Our handler needs to run before mod_proxy so that it can properly ++ * return ECP AuthnRequest messages when running as a reverse proxy. ++ * See: https://github.com/Uninett/mod_auth_mellon/pull/196 ++ */ ++ static const char * const run_handler_before[]={ "mod_proxy.c", NULL }; ++ + ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE); +@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p) + * Therefore this hook must run before any handler that may check + * r->handler and decide that it is the only handler for this URL. + */ +- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST); ++ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST); + + #ifdef ENABLE_DIAGNOSTICS + ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE); +-- +2.19.2 + diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index 6869ef0..a8de5b0 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.14.0 -Release: 3%{?dist} +Release: 3%{?dist}.2 Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -22,6 +22,8 @@ Requires: httpd-mmn = %{_httpd_mmn} Requires: lasso >= 2.5.1 Url: https://github.com/UNINETT/mod_auth_mellon +Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch + # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # I could not get asciidoc to render properly so instead I generated # mellon_user_guide.html on Fedora using asciidoctor and included @@ -35,6 +37,7 @@ received in assertions generated by a IdP server. %prep %setup -q -n %{name}-%{version} +%patch1 -p1 %build export APXS=%{_httpd_apxs} @@ -105,6 +108,10 @@ in the doc directory for instructions on using the diagnostics build. %dir /run/%{name}/ %changelog +* Tue Apr 16 2019 Jakub Hrozek - 0.14.0-3.2 +- Resolves: rhbz#1696197 - CVE-2019-3878 mod_auth_mellon: authentication + bypass in ECP flow [rhel-8.0.0.z] + * Mon Jul 30 2018 Florian Weimer - 0.14.0-3 - Rebuild with fixed binutils