Security and Privacy of University Grades - Part 2: Security [Updated]

After I have talked about Privacy of University Grades, I now want to talk a bit about the security of university grades and present a vulnerability in a frequently used software.

Security of University Grades

Many of my Professors in the Mathematical Institute and also many Professors in other Universities use OKUSON to publish, manage, and grade homework assignment. OKUSON is an open source software written in python which provides a complete web server and was made at RWTH Aachen. Back in mid 2013 I screened the source code and was not amused in the first place because the coding style was what I would consider *not so good* (the software mainly consists of one file containing ~4000 lines of code with rare comments). However, my amusement raised after a while when I found the first vulnerability.

Have a quick look at the relevant code:

def AdminLogin(req,onlyhead):
    #[...]
    global currentcookie
    if passwd != Config.conf['AdministratorPassword']:
        return Delegate('/errors/wrongpasswd.html',req,onlyhead)

    random.seed(time.time())
    currentcookie = str(random.randrange(10000000))
    #[...]
    header['Set-Cookie'] = 'OKUSON='+currentcookie+ \
         ';Path=/;Max-Age=3600;Version=1'
    #[...]
    
def Authenticate(p,req,onlyhead): #code abridged
    if (user_cookie == currentcookie):
        return 1     # Administrator
    else:
        return 0     # Guest authentication


def AdminLogout(req,onlyhead):
    #here is not much code, just do this:
    global currentcookie
    currentcookie = None

We can identify several problems:

  • Authentication is managed via a global variable currentcookie. It is "randomly" generated and once you know its content you are granted admin permissions.
  • The function AdminLogout does not require authentication. Anyone can easily log out the admin by accessing http://site.com/AdminLogout.
  • The entropy, namely random.randrange, while generating the secret currentcookie variable is to small. A brute force attack would succeed in ~2 days depending on your network and the host's computing power.
  • The random.seed is the server time in SECONDS :o

With this observations our attack would look like this:

  1. Ping the website with intervals ~2 Minutes until an administrator logs in. The site /adminmenu.html tells you whether there is someone logged in :o
  2. As soon as an admin logs in, log him out by accessing /AdminLogout.
    Now the *hot* phase begins.
  3. Ping /adminmenu.html in intervals of ~500ms until the admin logs in again. You will get the ServerTime inside the HTTP response header for free.
  4. Calculate currentcookie by using
    random.seed(the_time_the_admin_logged_in)
    currentcookie = str(random.randrange(10000000))
  5. et voilà: log in yourself.
    (Be quick as the real admin might log him (and you) out, but usually they do not.

Given the admin permissions, on can change the grades of all homework assignment and sometimes also the grade of the final exam, depending on whether the professor uses this feature.

I have informed the author of OKUSON, Frank Lübeck, in February but apparently could not raise his attention. I have also informed my university's data center staff.

To state the obvious: I have got a working exploit which I have tested on my own installation of OKUSON on my own hardware but I never exploited any system that did not belong to me. I also recommend my readers to do so as well. You should, however, inform your professors about the insecurity of OKUSON if they use it.

Update (16.05.2014)

Frank Lübeck, one author of OKUSON responded to me on 16th May after colleagues made him aware of this blog post with the request to add the following information:

[...] we (the authors of OKUSON) assume that an installation of OKUSON is done on a computer which is not accessible to students (because, as you mention correctly, such a server will collect personal data of course participants).
OKUSONs web interface contains a few pages for administration and some of the personal data are available via this interface. However, in the default installation these administrator pages are only accessible from the same computer which runs the OKUSON service. The configuration allows to give administrator access from other machines or networks, but the manual states that this should be used with care and why.

I have not seen an installation of OKUSON where the admin-interface was not available to the public, though.
Furthermore he added, that time.time(); might also give you the time in ns, depending on your system. On my reference system this was not the case, there I got the time in seconds.

Update (23.05.2014)

There is an Update available which fixes the said vulnerability. You should download it at http://www.math.rwth-aachen.de/~OKUSON/#download

You can also find the official security notice now at http://www.math.rwth-aachen.de/~OKUSON/security1.3.html

Note: This blog entry was not available to the public from 16-28th May to give the developers more time to fix.