Date: Fri, 24 Jan 2003 14:07:44 -0600
From: Cory Michal <cmichal@exceedsecurity.com>
To: bugtraq@lists.securityfocus.com
Subject: Blackboard 5.x & patched 5.x systems Password Retrieval
Exceed Security Systems
-------------------------------------
www.exceedsecurity.com
Although blackboard has issues a patch that fixes the vulnerability
described on January 21st by Pedram Amini (pedram@redhive.com) on the
bugtraq list it is still possible to use a similar technique to extract
user's passwords. My technique requires that you are logged into
blackboard and enrolled in a class. The steps to complete the attack are
listed below.
1) Log in to your target blackboard server.
2) select the password you want to query the server for, the server will =
return a list of users with this password at the end of the attack.
3) hash your password with md5.
(here's a link to a perl script I wrote to do it)
http://www.exceedsecurity.com/~cmichal/hash.pl
Example hash of the word blackboard.
perl hash.pl blackboard 3f78011271f4e20d7dab7093b42eac47
4) Place your MD5 hash in this URL and go!
http://yourblackboardserver.com/bin/common/search.pl?action=3DRESULTS&cou=rs
e_id=3DYOURCOURSEIDHERE&context=3DUSERBYCOURSE&type=3DSEARCH&operation=3D=VI
EW&keyword=3D&keywordraw=3DHashOfPasswordToTest&by=3Dpasswd
5) Look at the page to see all your classmates who have that password.
I wrote a script to automate this attack and it is posted here.
http://www.exceedsecurity.com/~cmichal/webRunner.sh
You need the hash.pl script listed above & curl for this to work
properly.
usage: sh webRunner.sh word_list
webRunner.sh will has get a word from the dictionary, hash it, try it and
output the results.
You can get a valid sessionid from sniffing your connection while
logging into blackboard. look for session_id in the packets.
Have fun,
Cory Michal
cmichal@exceedsecurity.com
Exceed Security Systems
www.exceedsecurity.com
