BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on (German). I want to share the most significant findings here.

BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.

One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.

This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here.

Source: Hanno’s Blog

I never understood why you need to include external files or webpages in such a document and I can’t even think of a use-case why this is a great idea, unless you want to fuck up things.

Here’s the PoC, in case you’re interested.

  • About

    I never asked for this.

  • Got something interesting?

    You think you got something which should be on this site? Then contact me. You want something removed from this site, because you think it should not be here? Then go fuck yourself. This is a free website. Free as in freedom. It tolerates every opinion from everyone. However, it does not tolerate things which are illegal according to the Swiss legislation.

  • Disclaimer

    I cannot be held responsible for any kind of direct, indirect or consequential damages caused by the stuff and or opinions I provide here. Use this on your own risk. Don’t blame me if something goes wrong or totally messes up your machine, your life or whatever. If this is unacceptable for you then go away and never come back again. Thank you!