Advisory: Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton  
RedTeam Pentesting discovered a vulnerability in the BigBlueButton web  
conferencing system which allows participants of a conference with  
permissions to upload presentations to read arbitrary files from the  
file system and perform server-side requests. This leads to  
administrative access to the BigBlueButton instance.  
Product: BigBlueButton  
Affected Versions: 2.2.25, potentially earlier versions as well  
Fixed Versions: 2.2.27  
Vulnerability Type: Arbitrary File Disclosure and  
Server-Side Request Forgery  
Security Risk: medium  
Vendor URL:  
Vendor Status: fixed version released  
Advisory URL:  
Advisory Status: published  
CVE: CVE-2020-25820  
"BigBlueButton is a web conferencing system designed for online  
(from the vendor's homepage)  
More Details  
BigBlueButton is a web conferencing system that allows participants with  
the appropriate privileges to upload files in various formats to be used  
as presentation slides. Among other formats, BigBlueButton accepts  
LibreOffice documents[1]. LibreOffice documents use the XML-based Open  
Document Format for Office Applications (ODF)[2]. For technical  
purposes, uploaded files are converted to PDF format with LibreOffice  
and afterwards to SVG for displaying[6].  
The ODF file format supports using the XML Linking Language (XLink) to  
create links between documents[3]. When local files are referenced using  
XLinks, the contents of the respective files are included in the  
generated PDF file when BigBlueButton converts ODF documents with  
LibreOffice. This leads to an arbitrary file disclosure vulnerability,  
allowing malicious participants of conferences to extract files from the  
BigBlueButton server's file system.  
LibreOffice also embeds XLinks to remote locations when a document is  
converted, which allows to perform server-side requests.  
Proof of Concept  
Start from an empty ODF Text Document and extract the content:  
$ mkdir tmp-doc && cd tmp-doc  
$ unzip ../empty.odt  
Archive: empty.odt  
extracting: mimetype  
creating: Configurations2/accelerator/  
creating: Configurations2/images/Bitmaps/  
creating: Configurations2/toolpanel/  
creating: Configurations2/progressbar/  
creating: Configurations2/statusbar/  
creating: Configurations2/toolbar/  
creating: Configurations2/floater/  
creating: Configurations2/popupmenu/  
creating: Configurations2/menubar/  
inflating: manifest.rdf  
inflating: meta.xml  
inflating: settings.xml  
extracting: Thumbnails/thumbnail.png  
inflating: styles.xml  
inflating: content.xml  
inflating: META-INF/manifest.xml  
Replace the <office:body> element in the file content.xml with the  
<text:section text:name="string">  
The text document now includes a section that references the external  
file /etc/passwd. Create an new ODF Text Document with the modified  
$ zip -r ../modified.odt *  
The document can now be uploaded as a presentation. After the  
conversion, the presentation shows the contents of the file  
/etc/passwd from the system running the BigBlueButton conferencing  
software. To perform server-side requests, substitute the xlink:href  
attribute's value with a remote URL such as  
<text:section text:name="string">  
When converting a document with this content, LibreOffice will fetch the  
website's content and embed it into the generated PDF file.  
To work around this issue, the conversion feature should be disabled if  
it is not used. Otherwise, permission to upload presentations should  
only be given to trusted users. Additionally, the allowed file types for  
upload can be restricted to just PDF files.  
Update to fixed version 2.2.27. Change API key after update.  
Security Risk  
As shown, the presentation conversion feature of BigBlueButton can be  
used to disclose arbitrary local files. Through the file disclosure,  
attackers can gain access to the credentials of the BigBlueButton  
instance (/usr/share/bbb-web/WEB-INF/classes/,  
/usr/share/bbb-apps-akka/conf/application.conf), which allows for  
administrative access to BigBlueButton through its API (see [5]),  
including all conferences.  
Additionally, it is possible to perform server-side requests. Note that  
this vulnerability is different from CVE-2018-10583 [4], because the  
risk is not the disclosure of credentials sent while fetching remote  
resources, but the ability to access resources that are in the same  
network segment as the BigBlueButton instance, which is possibly not  
accessible from the Internet.  
To exploit this vulnerability, attackers need to have access to a  
conference with the ability to upload presentations. While successful  
exploitation of this vulnerability would pose severe consequences for  
the affected BigBlueButton instance, it is only rated to pose a medium  
risk due to the requirement of having presentator access.  
2020-09-11 Vulnerability identified  
2020-09-18 Customer approved disclosure to vendor  
2020-09-22 CVE ID requested  
2020-09-22 CVE ID assigned  
2020-09-24 Requested encrypted communication with vendor  
2020-09-25 Vendor unable to provide encrypted communication,  
Vendor notified  
2020-09-25 Vendor confirmed being able to reproduce vulnerability,  
mentioned similar bugreport  
2020-09-25 Requested information whether "similar burgreport"  
uses the same vulnerability - no answer  
2020-10-13 Again requested information whether "similar burgreport"  
uses the same vulnerability, whether release shedule is  
known - no answer  
2020-10-14 Vendor released fixed version (without mentioning vulnerability)  
2020-10-21 Vulnerability published by third party [7]  
2020-10-21 Advisory released  
RedTeam Pentesting GmbH  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
More information about RedTeam Pentesting can be found at:  
Working at RedTeam Pentesting  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen