Entries tagged as fileexfiltration
bigbluebutton cookie itsecurity jodconverter libreoffice security websecurity xss drupal gallery mantis php session sniffing squirrelmail ssl apache javascript userdir web 0days 27c3 addresssanitizer adguard adobe aead aes afra aiglx algorithm altushost android antivir antivirus aok apt asan auskunftsanspruch axfr azure badkeys barcamp bash berlin berserk bias bleichenbacher blog bodensee botnetz braunschweig browser bsi bsideshn bufferoverflow bugbounty bundesdatenschutzgesetz bundestrojaner bundesverfassungsgericht busby bypass c ca cacert cbc ccc cccamp11 cellular certificate cfb chcounter chrome chromium clamav clang clickjacking cloudflare cmi cms code compiz conflictofinterest crash crypto cryptography csrf cve darmstadt datenschutz deb debian dell deolalikar diffiehellman dingens diploma diplomarbeit distributions dns domain easterhegg edellroot eff email encryption english eplus facebook fedora firefox firewall fortigate fortinet forwardsecrecy freak freesoftware freewvs frequency fsfe ftp fuzzing gajim gcc gentoo ghost gimp git glibc gnupg gnutls gobi google gpg gsm gsoc gstreamer hackerone hacking hannover hash heartbleed helma http https infoleak informationdisclosure internetscan ircbot jabber joomla karlsruhe kaspersky key keyexchange komodia leak lessig linux luckythirteen malware maninthemiddle math md5 memorysafety mephisto microsoft milleniumproblems mitm mobilephones modulobias moodle mozilla mpaa mplayer mrmcd mrmcd100b mrmcd101b multimedia mysql napster nessus netfiltersdk newspaper nist nss ntp ntpd observatory onlinedurchsuchung openbsc openbts openleaks openpgp openssl openvas osmocombb otr owncloud packagemanagement padding panda papierlos password passwordalert passwort passwörter pdo pgp phishing pnp poodle privacy privatekey privdog protocolfilters provablesecurity pss python rand random rc2 redhat rhein rpm rsa rsapss rss s9y salinecourier schlüssel science serendipity server sha1 sha2 sha256 sha512 shellbot shellshock sicherheit signatures slides smime snallygaster sni spam sqlinjection staatsanwaltschaft stacktrace study stuttgart subdomain sunras superfish support talk taz thesis tls tlsdate toendacms transvalid überwachung ubuntu unicef unicode update updates useafterfree utf-8 verschlüsselung virus vlc vortrag vulnerabilities vulnerability webapps webmontag wiesbaden windows windowsxp wiretapping wordpress x509 xgl xine xmpp xsa zerodays zugangsdaten zzuf breach content-security-policy cookies core coredump crime csp grsecurity heist samesite segfault symlink time webhosting webroot webserver okte
Wednesday, October 21. 2020
File Exfiltration via Libreoffice in BigBlueButton and JODConverter
BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on Golem.de (German). I want to share the most significant findings here.BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.
One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.
This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here. (I will publish the exploit later.)
I reported this to the developers of BigBlueButton in May. Unfortunately my experience with their security process was not very good. At first I did not get an answer at all. After another mail they told me they plan to sandbox the Libreoffice process either via a chroot or a docker container. However that still has not happened yet. It is planned for the upcoming version 2.3 and independent of this bug this is a good idea, as Libreoffice just creates a lot of attack surface.
Recently I looked a bit more into this. The functionality to include external files only happens after a manual user confirmation and if one uses Libreoffice on the command line it does not work at all by default. So in theory this exploit should not have worked, but it did.
It turned out the reason for this was another piece of software that BigBlueButton uses called JODConverter. It provides a wrapper around the conversion functionality of Libreoffice. After contacting both the Libreoffice security team and the developer of JODConverter we figured out that it enables including external URLs by default.
I forwarded this information to the BigBlueButton developers and it finally let to a fix, they now change the default settings of JODConverter manually. The JODConverter developer considers changing the default as well, but this has not happened yet. Other software or web pages using JODConverter for serverside file conversion may thus still be vulnerable.
The fix was included in version 2.2.27. Today I learned that the company RedTeam Pentesting has later independently found the same vulnerability. They also requested a CVE: It is now filed as CVE-2020-25820.
While this issue is fixed, the handling of security issues by BigBlueButton was not exactly stellar. It took around five months from my initial report to a fix. The release notes do not mention that this is an important security update (the change has the note “speed up the conversion”).
I found a bunch of other security issues in BigBlueButton and proposed some hardening changes. This took a lot of back and forth, but all significant issues are resolved now.
Another issue with the presentation upload was that it allowed cross site scripting, because it did not set a proper content type for downloads. This was independently discovered by another person and was fixed a while ago. (If you are interested in details about this class of vulnerabilities: I have given a talk about it at last year’s Security Fest.)
The session Cookies both from BigBlueButton itself and from its default web frontend Greenlight were not set with a secure flag, so the cookies could be transmitted in clear text over the network. This has also been changed now.
By default the BigBlueButton installation script starts several services that open ports that do not need to be publicly accessible. This is now also changed. A freeswitch service run locally was installed with a default password (“ClueCon”), this is now also changed to a random password by the installation script.
What also looks quite problematic is the use of outdated software. BigBlueButton only works on Ubuntu 16.04, which is a long term support version, so it still receives updates. But it also uses several external repositories, including one that installs NodeJS version 8 and shows a warning that this repository no longer receives security updates. There is an open bug in the bug tracker.
If you are using BigBlueButton I strongly recommend you update to at least version 2.2.27. This should fix all the issues I found. I would wish that the BigBlueButton developers improve their security process, react more timely to external reports and more transparent when issues are fixed.
Image Source: Wikimedia Commons / NOAA / Public Domain
Update: Proof of concept published.