[NEWS] Blackboard Password Retrieval (search.pl)
From: support@securiteam.com
Date: 01/22/03
- Previous message: support@securiteam.com: "[UNIX] Cyboards Remote Code Execution and XSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 22 Jan 2003 23:06:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Blackboard Password Retrieval (search.pl)
------------------------------------------------------------------------
SUMMARY
The <http://products.blackboard.com/> Blackboard Learning System is a
Web-based server software platform that offers industry-leading course
management, an open architecture for customization and interoperability,
and a scalable design that allows for integration with student information
systems and authentication protocols. A security vulnerability in the
product allows a malicious attacker to insert an arbitray SQL statement
into the ones used by the product, thus modifying it actions.
DETAILS
Vulnerable systems:
* Blackboard Learning System 5.x, level 1 and 2 are affected.
Immune systems:
* Blackboard Learning System version 5.5.1
Through the exploitation of an SQL injection vulnerability it is possible
for an unauthenticated user to query the Blackboard user directory and:
- Enumerate users with a given password.
- Extract the MD5 password of any given user.
Details:
Improper filtering in the address book search feature allows an attacker
to inject SQL statements into a query that is executed with read access to
the users table. The address book search feature is implemented by
/bin/common/search.pl and the improperly filtered argument is "by". It is
a trivial matter for an attacker to construct queries that will return a
listing of all users with a given password. It is also possible for an
attacker to execute a scripted attack that can extract the MD5 hashed
password of a specific user.
A valid account is not required to exploit the above-described
vulnerabilities. Most (all?) organizations have a "preview" button on the
login screen allowing anyone to login to a restricted version of the
system. Preview users are not given an interface to the address book.
However, despite the fact that the address book is "hidden" from preview
users, it is not actually restricted. The scripts required in exploitation
are indeed accessible to the preview user thereby opening the window of
exploitation to any remote user.
Vendor Notification:
The Blackboard team was concerned, quick to respond, open to suggestions,
professional, and even took the time to teleconference. Over all Pedram
was very impressed with their handling of the situation.
08/07/2002 - Vulnerability discovered.
08/08/2002 - Pedram's University contacted.
08/11/2002 - First contact with David Yaskin at Blackboard.
08/30/2002 - Patch test with my University.
09/01/2002 - Fix made available and announcement made to Blackboard
community.
01/21/2003 - Public release.
Vendor Response:
A security hotfix is now available through Blackboard that will address
recently identified issues related to the Blackboard User Directory.
Although there have been no reported security breaches, Blackboard would
like to share this important information with clients. For locally
installed clients running on release 5.5.1 or later (including Blackboard
Learning System - ML), the recommended solution is to obtain the hotfix by
calling Blackboard Product Support at 1-888-788-5264 or by submitting a
service request ticket through the Blackboard Product Support Web site.
For locally installed clients running on releases earlier than 5.5.1, the
recommended solution is to upgrade to 5.5.1 and then apply the hotfix. To
upgrade to release 5.5.1, system administrators can go to
<http://behind.blackboard.com> http://behind.blackboard.com and click on
the "Hotfixes and Updates" icon to obtain the download. Once release 5.5.1
has been installed, you may obtain the hotfix by calling Blackboard
Product Support at 1-888-788-5264 (+1-202-715-6019 for international
clients); or by submitting a service request ticket through the Blackboard
Product Support Web site.
For all Learning System and Learning and Community Portal System (formerly
Blackboard 5 Level Three) clients running on releases earlier than 5.5.1,
please contact your Account Manager, at 202-463-4860 prior to upgrading.
UNAFFECTED: Clients who are using our Enterprise product capability of
completely externalizing external authentication, and have implemented
Blackboard Learning System, Level 3 using LDAP, Kerberos, Active
Directory, or Active Directory are unaffected.
Clients running on Blackboard CourseInfo need not take action at this
time, as the potential security vulnerability does not affect this
platform.
Clients running on the Blackboard Transaction System are unaffected.
Technical details:
Using the address book search feature to search for the keyword 'meow'
will generate the following request:
/bin/common/search.pl?action=RESULTS
&context=ADDRESSBOOK
&type=SEARCH
&operation=VIEW
&keyword=
&nav=my_addressbook
&course_id=_1_1
&keywordraw=meow
&by=lastname
The 'by=lastname' parameter is propagated with one of two possible values
from an HTML form, either last name or e-mail address. Generating a hand
made request with the 'by' parameter set as 'ruff' renders the following
SQL error:
SELECT U.pk1, U.sos_id_pk2, U.firstname, U.middlename, U.lastname,
U.title,
U.email, U.user_id, U.job_title, U.department, U.company,
U.street_1,
U.street_2, U.city, U.state, U.zip_code, U.country,
U.b_phone_1,
U.b_phone_2, U.h_phone_1, U.h_phone_2, U.m_phone, U.b_fax,
U.h_fax,
U.webpage, U.email_ind, U.address_ind, U.work_ind, U.phone_ind
FROM users U
WHERE U.row_status = 0
AND U.available_ind = 'Y'
AND U.public_ind = 'Y'
AND U.system_role != 'z'
AND U.system_role != 'u'
AND upper(U.ruff) LIKE '%MEOW%'
ORDER BY U.lastname, U.firstname
The above error was generated because there is no field named 'ruff' in
the users table. Further experimentation reveals that that the
'keywordraw' parameter (MEOW here) is non-alphanumeric stripped and upper
cased. The 'by' parameter on the other hand is not filtered allowing an
attacker to control the SQL query from 'upper(U.'. By guessing the name of
the field that stores user passwords (passwd), an attacker is able to
enumerate all users with specific characters in their password. With some
experimentation it becomes quickly apparent that passwords are stored as
MD5 hashes (very common). It is now a trivial matter for an attacker to
quickly generate a list of valid username and password combinations by
searching for users with easily guessable passwords such as
MD5("blackboard"), MD5("password"), or MD5("organization name").
It is also possible for an attacker to extract a specific user's password.
This is accomplished through the following steps:
- Search for all accounts that have the letter 'a' in their hashed
password.
- If the target user does not appear in this list then choose another
letter, otherwise attempt to narrow down the list by searching for all
accounts with the sequence 'ab' in their hashed password.
- If the target use does not appear in this list then choose another
sequence such as 'ac' or 'ad'.
- Continue this process until the entire 32-character hash is extracted.
This process is labor and time intensive when done by hand; however, it is
easily scripted. Attached is a sample password extractor script that
requires only some manual labor to start. The following is a brief
synopsis of its usage:
- Determine the current session id from the current session-based cookie.
- Follow the above outlined steps to narrow the list of accounts
containing the target user to a single page.
- Modify the attached Perl script to contain the initial sequence (ex:
'abcd') from the previous step and the session id.
- Uncomment the "work forward" lines in the script. Run.
- The script should automatically determine the forward half of the
target users hashed password. So 'abcd' may become 'abcd12345678...'.
- Next, comment out the "work forward" lines and uncomment the "work
backwards" lines in the script. Run.
- The script should automatically determine the backward half of the
target users hashed password. So 'abcd' may become '12345678...abcd'.
- The combination of the two halves is the entire extracted hashed
password.
- At this point a dictionary or brute force attack can utilized to
determine the target users un-hashed password.
A valid account is not required to exploit the above-described
vulnerabilities. Most (all?) organizations have a "preview" button on the
login screen allowing anyone to login to a restricted version of the
system. Preview users are not given an interface to the address book.
However, despite the fact that the address book is "hidden" from preview
users, it is not actually restricted. The scripts required in exploitation
are indeed accessible to the preview user thereby opening the window of
exploitation to any remote user.
On a final note if an attacker could guess the codes that Blackboard uses
for system roles then it becomes possible to target attacks on important
users such as instructors and teaching assistants with the following
query:
/bin/common/search.pl?action=RESULTS
&context=USERDIR
&type=SEARCH
&operation=VIEW
&keyword=meow
&keywordraw=
&by=passwd) LIKE '%%' AND U.system_role = 't' AND
upper(U.passwd
Modifying the U.system_role = 't' is the key here.
ADDITIONAL INFORMATION
The information has been provided by <mailto:pedram@redhive.com> Pedram
Amini.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] WinRAR Buffer Overflow Vulnerability (Long Extension)"
- Previous message: support@securiteam.com: "[UNIX] Cyboards Remote Code Execution and XSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Blackboard Academic Suite Multiple XSS Vulnerabilities
... Blackboard Academic Suite Blackboard is an enterprise software solution for providing
interactive learning and management capabilities for educational institutions. ... The attacker
reads all these information in a log file. ... PART II - MAKING A WEB-BASED WORM ...
So we can take advantage of this persistent XSS to inject arbitrary script on the web page. ...
(Bugtraq) - [UNIX] Command execution in phprojekt
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... So an attacker could
go to ... And the script at http://hacker/nasty/scripts/access_form.inc.php would ...
(Securiteam)
