Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

Blackboard

[zerocool^]

This is probably having to do with "blackboard" software, i.e. learn.vt.edu.

This software tries to be everything to everyone, and all most teachers use it for is posting grades.

It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.

~Will

Re:the Slashdot way

[The+Old+Burke]

Or use husmail.com
Send the mail with exploit to abuse/contact/CEO@companywithexploit.com
Tell them that you will release the exploit within 30/60/90 days on Bugtraq, Freenet and Slashdot unless they fix it.

Make sure you also send the mail to:
-Local/regional newspapers.
-The school/school council/principal/teachers/newspaper.
-Local government official(s).

If they don't fix the shit after this, release the exploit *anonymously*.

blackboard? not necessarily..

[Mobster75]

Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.

Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.

In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)

Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$ ;) )

Re:blackboard? not necessarily..

[calethix]

I've found what I would consider security issues in Banner's web products before. Stuff that if you pass the correct variables to it, will display information from the database without doing any kind of user validation.
To understand the issue, you have to know that it uses Oracle Application Server which basically lets you execute packages in the database. All of the main web packages do user validation but some of them call other packages to display the content of the page (which don't always do validation).
So, if you know what variables to pass to said packages, you can bypass their security. SCT told me that since those were only supporting packages, they were functioning properly and they wouldn't do anything to change them.
Granted, you have to have a pretty in depth knowledge of how their web products work but that's a good number of employees at any school using Banner. We have access to all of the package/program source so we can customize it for our university's needs.
Oh well, I've ranted about SCT enough. :)
What was funnier though was when I discovered that our database had execute any procedure granted to public, i.e. the web user. That essentialy opened up any database procedure to be executed by an anonymous user via the web. I think that one was our fault instead of SCT's and it was fourtunately taken care of fairly quickly.

Contact Me

[jsnider]

I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.

I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.

I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.

If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net