https://bz.apache.org/bugzilla/show_bug.cgi?id=69946
Bug ID: 69946
Summary: Authentication Bypass in mod_autht_jwt via JWT Claim
Prefix Matching Inbox
Product: Apache httpd-2
Version: 2.4.66
Hardware: PC
Status: NEW
Severity: critical
Priority: P2
Component: mod_auth_ldap
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 40149
--> https://bz.apache.org/bugzilla/attachment.cgi?id=40149&action=edit
this is the simulated
ISSUE DESCRIPTION
An Authentication Bypass vulnerability exists in the mod_autht_jwt module of
the Apache HTTP Server. The module uses strncmp with an incorrect length
parameter when validating reserved JWT claims (specifically sub, aud, exp,
nbf). The code mistakenly uses the length of the provided claim key instead of
the expected reserved name length.
This allows an attacker to include a malicious claim key that is a prefix of a
reserved claim (e.g., "s" for "sub") in their JWT. Because the module iterates
through all claims and updates internal state variables for each match, the
malicious prefix claim overwrites the legitimate reserved claim value, allowing
an attacker to impersonate any user or bypass audience/expiration checks.
---
AFFECTED COMPONENT
- Component: mod_autht_jwt (Apache Module)
- Function: check_token() in modules/aaa/mod_autht_jwt.c
- Configuration: Any Apache HTTP Server using mod_autht_jwt with
AuthtJwtVerify.
---
IMPACT
- Attacker Type: Authenticated low-privilege user (or any attacker with a valid
JWT signed by a trusted key).
- Impact: Privilege Escalation (overwrite 'sub' to impersonate admins) and
Authorization Bypass (overwrite 'aud' or 'exp').
- Affected Parties: All users of the system.
---
ATTACK SCENARIO
1. Discovery: Attacker identifies the strncmp logic error in mod_autht_jwt.c.
2. Setup: Attacker registers a low-privilege account (e.g., subject "guest").
3. Exploitation: Attacker obtains a valid JWT including a malicious claim "s":
"admin". This is possible if the token issuer allows custom claims or if the
attacker can influence their user profile data.
4. Result: mod_autht_jwt matches "s" against "sub" due to the prefix match
flaw. The subject variable is overwritten with "admin", granting the attacker
administrative access.
---
STEPS TO REPRODUCE / PROOF OF CONCEPT
The strncmp logic can be verified using the attached C simulation
'vuln_logic_simulation.c'.
1. Compile the simulation:
gcc -o vuln_simulation vuln_logic_simulation.c
2. Run the simulation:
./vuln_simulation
3. Output:
The output will confirm that a claim with key "s" is accepted as "sub" and
overwrites the previous value.
[*] Starting claim processing...
[+] Matched 'sub': guest (input: sub)
[+] Matched 'sub': admin (input: s)
[*] Final State:
Subject: admin
Audience: (null)
[+] Verification successful: Subject overwritten.
---
ROOT CAUSE ANALYSIS
In modules/aaa/mod_autht_jwt.c (lines 969-995), the code uses:
if (!strncmp("sub", kv->k->value.string.p, kv->k->value.string.len))
The third argument is the length of the user-provided key. If the user provides
keys like "s", "a", or "e", the comparison length is 1, causing a false
positive match against "sub", "aud", and "exp" respectively.
---
RECOMMENDED FIX
Replace variable-length strncmp comparisons with fixed-length checks or strcmp.
Example Fix:
/* FIX: Check length AND content */
if (kv->k->value.string.len == 3 &&
!strncmp("sub", kv->k->value.string.p, 3)) {
// ...
}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
