TL;DR: The patch for CVE-2020-12112 was insufficient. Lukas2511 found a bypass for it, so update to v2.2.6 asap.
BigBlueButton had a rather trivial local file inclusion vulnerability. It is described here.
Essentially it was possible to change the presFilename URL parameter to download arbitraty files, instead of the presentiation.
Example request downloading /etc/passwd:
curl https://test.bigbluebutton.org/bigbluebutton/presentation/download/ffc98830dbfbac3dcc80cc4c5f30711ebd1c23e8-1586764259489/d2d9a672040fbde2a47a10bf6c37b6a4b5ae187f-1586764259500?presFilename=../../../../../etc/passwd
The BigBlueButton maintainters rolled out an emergency fix with version 2.2.5.
Instead of fixing the LFI in the service, they added a check to the NGINX reverse proxy config:
location ~ "^/bigbluebutton/presentation/download\/[0-9a-f]+-[0-9]+/[0-9a-f]+-[0-9]+$" {
if ($arg_presFilename !~ "^[0-9a-f]+-[0-9]+\.[0-9a-zA-Z]+$") {
return 404;
}
proxy_pass http://127.0.0.1:8090$uri$is_args$args;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Workaround IE refusal to set cookies in iframe
add_header P3P 'CP="No P3P policy available"';
}
With this check at the reverse proxy, the pregFilename parameter can only consist of characters, digits and a single dot. Therefore, directory traversal via ../ should not be possible.
Unfortunately, this patch has (at least) two problems:
- The vulnerable java service is, by default, exposed to the outer world via port 8090. So the LFI is directly accessible in case a BBB admin did not set a corresponding firewall rule. The documentation does explain what ports are needed for the service, but this is still a very bad default.
- Even with restrictive firewall rules, the LFI can still be exploited through the reverse proxy.
As it turns out, the $arg_VARNAME variable in NGINX is case-insensitive.
This makes it possible to desynchronize the reverse proxy and the vulnerable backend service.
Appending two parameters to the URL of the form:
?presfilename=ff-1337.pdf&presFilename=../../../../../../../../etc/passwd
triggers the LFI.
NGINX checks presfilename for validity, but the Java backend interprets the presFilename parameter. Therefore the requested file will be returned by the backend.
Using the LFI an attacker can for example download the file /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties which contains the securitySalt value in cleartext. With this securitySalt the attacker has access to the API, effectively gaining administrator privileges.
The key takeaways here are:
- Always use failsafe defaults. Exposing an internal service to the outer world is probably not a good idea.
- Instead of mitigating, always fix the root of cause, the actual vulnerability .
But of course this is easy for me to say. I don't have to fix anything.
BigBlueButton is a great open source tool with a very active developer community. They fixed the reported bugs very fast (I assume in their spare time). So maybe consider supporting BBB by contributing to the project.
This issue was asigned CVE-2020-12443. A proof of concept exploit can be found here.