Reply
Yves
(Administrator)
Show profile
Link to this post
Subject: Security Vulnerability – Analysed
OK folks, I have just finished my analysis of what happened regarding BlackBoard's latest security vulnerability, and I feel I needed to inform you about that. Here's the last announcement.
There is a security vulnerability in the BlackBoard code up to version 1.5.1-g. The problem is fixed from patch level 1.5.1-h on and in the development version of 2004-10-06 and newer. The vuln allowed arbitrary code execution in BlackBoard's context. I'm currently working on improving the (already stable) protection to prevent similar problems in the future.
I have tracked my server logs and found that the Chinese hacker already found the bug on Oct 02 at 14h in his local time and exploited it on this server. He was able to store his own PHP file on this domain and he used it to inspect the PHP&Apache configuration and explore the filesystem environment. He was also able to read the board's configuration file which contains sensitive password information. All passwords are of course changed now. His exploit script has at least file list/view/edit/delete capabilities. But what worries me a bit is that he visited the "Show your board" threads afterwards and followed two of the given links. He didn't spend much time on the sites though. But there is a chance he might also have tried that out on other BlackBoard installations. So it is strongly recommended to upgrade your board to the latest patch level. I estimate the risk that he may have damaged something as relatively small, concerning he has published his found later and didn't exploit other of my boards or seemed to do any explicit harm on my server (as far as that is actually possible from my PHP's perspective).
He published the security report on Oct 06 to several security-related mailing lists, without even feeling in need to notify me about the issue. The patch was then available some hours after that document release (and about 30 minutes after I got notice of it).
So how can you check if he also visited your website?
Here's the relevant data with that you should be able to check your server or board access logs for his visit:
IP: 218.5.144.146
Date: 2004-10-02 08:00 to 09:30 (these are my times) +0200
Most likely requested filenames contain these strings:
?libpath=
cracklove.php
User agent: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2; .NET CLR 1.1.4322)"
Browser language: zh-cn
What should you do if he was there?
Since he proved he was able to read the board's configuration file and any other file a PHP script in this context has read access to, you should assume all sensitive access data accessible from this context compromised. That is, you should at least change the database and e-mail SMTP password the board uses to avoid any consequences in this concern.
How can you generally protect your server from similar exploits?
For PHP, you should really disable the error reporting on production sites. Set "error_reporting = 0" in your php.ini file. If you don't have access to this file, the PHP comment error_reporting(0); does the same. This suppresses any error output upon a programme failure which may expose sensitive information about your application to a potential hacker. Additionally, the PHP setting "allow_url_fopen" can be set to Off to gain a little more security for this class of holes. But this may lead to your applications not working correctly anymore, so please first check this for compatibility in your environment. I'm currently over checking BlackBoard's compatibility to it.
There is a security vulnerability in the BlackBoard code up to version 1.5.1-g. The problem is fixed from patch level 1.5.1-h on and in the development version of 2004-10-06 and newer. The vuln allowed arbitrary code execution in BlackBoard's context. I'm currently working on improving the (already stable) protection to prevent similar problems in the future.
I have tracked my server logs and found that the Chinese hacker already found the bug on Oct 02 at 14h in his local time and exploited it on this server. He was able to store his own PHP file on this domain and he used it to inspect the PHP&Apache configuration and explore the filesystem environment. He was also able to read the board's configuration file which contains sensitive password information. All passwords are of course changed now. His exploit script has at least file list/view/edit/delete capabilities. But what worries me a bit is that he visited the "Show your board" threads afterwards and followed two of the given links. He didn't spend much time on the sites though. But there is a chance he might also have tried that out on other BlackBoard installations. So it is strongly recommended to upgrade your board to the latest patch level. I estimate the risk that he may have damaged something as relatively small, concerning he has published his found later and didn't exploit other of my boards or seemed to do any explicit harm on my server (as far as that is actually possible from my PHP's perspective).
He published the security report on Oct 06 to several security-related mailing lists, without even feeling in need to notify me about the issue. The patch was then available some hours after that document release (and about 30 minutes after I got notice of it).
So how can you check if he also visited your website?
Here's the relevant data with that you should be able to check your server or board access logs for his visit:
IP: 218.5.144.146
Date: 2004-10-02 08:00 to 09:30 (these are my times) +0200
Most likely requested filenames contain these strings:
?libpath=
cracklove.php
User agent: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2; .NET CLR 1.1.4322)"
Browser language: zh-cn
What should you do if he was there?
Since he proved he was able to read the board's configuration file and any other file a PHP script in this context has read access to, you should assume all sensitive access data accessible from this context compromised. That is, you should at least change the database and e-mail SMTP password the board uses to avoid any consequences in this concern.
How can you generally protect your server from similar exploits?
For PHP, you should really disable the error reporting on production sites. Set "error_reporting = 0" in your php.ini file. If you don't have access to this file, the PHP comment error_reporting(0); does the same. This suppresses any error output upon a programme failure which may expose sensitive information about your application to a potential hacker. Additionally, the PHP setting "allow_url_fopen" can be set to Off to gain a little more security for this class of holes. But this may lead to your applications not working correctly anymore, so please first check this for compatibility in your environment. I'm currently over checking BlackBoard's compatibility to it.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
There's no simple patching of some functions for a new version...
Bad boy, but thank's for reporting the bugs 
:wand: