The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before 6.x-3.2, a module for Drupal, does not properly remove statically granted privileges after a logout or other session change, which allows physically proximate attackers to gain privileges by using an unattended web browser.
Unpatched Shibboleth authentication modules in Drupal are vulnerable to a privilege escalation attack. This allows a physically proximate attacker to gain unauthorized access to a user's account after a logout or session change, potentially leading to data breaches and system compromise. The vulnerability stems from the failure to properly revoke statically granted privileges, leaving the system open to exploitation.
Step 1: Legitimate User Login: A legitimate user logs into a Drupal site using the vulnerable Shibboleth module and is granted specific privileges.
Step 2: Session Persistence: The user's session information, including the granted privileges, is stored by the Shibboleth module.
Step 3: Logout or Session Change: The legitimate user logs out of the Drupal site or the session expires.
Step 4: Privilege Retention: The Shibboleth module fails to properly remove the statically granted privileges associated with the previous user's session.
Step 5: Attacker Access: A physically proximate attacker gains access to the same web browser (or a browser with a similar session state, perhaps through session reuse or browser cache). This could be a different user on the same computer or a user who has access to the same browser profile.
Step 6: Privilege Escalation: The attacker accesses a protected resource on the Drupal site. Because the Shibboleth module has not revoked the privileges, the attacker is granted access based on the previously logged-in user's privileges.
The root cause of CVE-2009-4527 lies in the Shibboleth module's failure to correctly manage session state and revoke privileges after a user logs out or the session changes. Specifically, the module does not properly clear or invalidate statically assigned privileges associated with a user's session. This means that even after a user logs out, the module retains the previously granted privileges. When a new user accesses the same browser (or a browser with a similar session state), the module may incorrectly re-use the cached privileges, granting the new user access to resources they should not have. This is not a buffer overflow or code injection vulnerability, but rather a logic flaw in session management and privilege revocation. The flaw allows an attacker to reuse existing privilege grants.