Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

BBB LFI Writeup

TL;DR: The patch for CVE-2020-12112 was insufficient. Lukas2511 found a bypass for it, so update to v2.2.6 asap.

CVE-2020-12112

BigBlueButton had a rather trivial local file inclusion vulnerability. It is described here.

Essentially it was possible to change the presFilename URL parameter to download arbitraty files, instead of the presentiation. Example request downloading /etc/passwd:

curl https://test.bigbluebutton.org/bigbluebutton/presentation/download/ffc98830dbfbac3dcc80cc4c5f30711ebd1c23e8-1586764259489/d2d9a672040fbde2a47a10bf6c37b6a4b5ae187f-1586764259500?presFilename=../../../../../etc/passwd

The Patch

The BigBlueButton maintainters rolled out an emergency fix with version 2.2.5.

Instead of fixing the LFI in the service, they added a check to the NGINX reverse proxy config:

location ~ "^/bigbluebutton/presentation/download\/[0-9a-f]+-[0-9]+/[0-9a-f]+-[0-9]+$" {
			if ($arg_presFilename !~ "^[0-9a-f]+-[0-9]+\.[0-9a-zA-Z]+$") {
				return 404;
			}
			proxy_pass         http://127.0.0.1:8090$uri$is_args$args;
			proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
			# Workaround IE refusal to set cookies in iframe
			add_header P3P 'CP="No P3P policy available"';
}

With this check at the reverse proxy, the pregFilename parameter can only consist of characters, digits and a single dot. Therefore, directory traversal via ../ should not be possible.

Unfortunately, this patch has (at least) two problems:

  1. The vulnerable java service is, by default, exposed to the outer world via port 8090. So the LFI is directly accessible in case a BBB admin did not set a corresponding firewall rule. The documentation does explain what ports are needed for the service, but this is still a very bad default.
  2. Even with restrictive firewall rules, the LFI can still be exploited through the reverse proxy.

Exploit via Reverse Proxy

Reverse Proxy Go Brrr

As it turns out, the $arg_VARNAME variable in NGINX is case-insensitive. This makes it possible to desynchronize the reverse proxy and the vulnerable backend service.

Appending two parameters to the URL of the form:

?presfilename=ff-1337.pdf&presFilename=../../../../../../../../etc/passwd

triggers the LFI.

NGINX checks presfilename for validity, but the Java backend interprets the presFilename parameter. Therefore the requested file will be returned by the backend.

Impact

Using the LFI an attacker can for example download the file /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties which contains the securitySalt value in cleartext. With this securitySalt the attacker has access to the API, effectively gaining administrator privileges.

Take Aways

The key takeaways here are:

  1. Always use failsafe defaults. Exposing an internal service to the outer world is probably not a good idea.
  2. Instead of mitigating, always fix the root of cause, the actual vulnerability .

But of course this is easy for me to say. I don't have to fix anything.

BigBlueButton is a great open source tool with a very active developer community. They fixed the reported bugs very fast (I assume in their spare time). So maybe consider supporting BBB by contributing to the project.

This issue was asigned CVE-2020-12443. A proof of concept exploit can be found here.