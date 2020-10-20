Security Leftovers
-
Kaspersky's Secur'IT hacking competition attracts entrants from 24 universities
Four university students, competing as ByteMe, have won the first prize in the Secur'IT Cup, an annual hacking competition jointly organised by security outfit Kaspersky and Hackathons Australia.
-
Hackers Use Billboards to Trick Self-driving Cars into Slamming on the Brakes
“The attacker just shines an image of something on the road or injects a few frames into a digital billboard, and the car will apply the brakes or possibly swerve, and that’s dangerous,” Ben Gurion University researcher Yisroel Mirsky told the magazine. “The driver won’t even notice at all. So somebody’s car will just react, and they won’t understand why.”
-
File Exfiltration via Libreoffice in BigBlueButton and JODConverter
BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on Golem.de (German). I want to share the most significant findings here.
BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.
One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.
This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here. (I will publish the exploit later.)
I reported this to the developers of BigBlueButton in May. Unfortunately my experience with their security process was not very good. At first I did not get an answer at all. After another mail they told me they plan to sandbox the Libreoffice process either via a chroot or a docker container. However that still has not happened yet. It is planned for the upcoming version 2.3 and independent of this bug this is a good idea, as Libreoffice just creates a lot of attack surface.
Recently I looked a bit more into this. The functionality to include external files only happens after a manual user confirmation and if one uses Libreoffice on the command line it does not work at all by default. So in theory this exploit should not have worked, but it did.
It turned out the reason for this was another piece of software that BigBlueButton uses called https://github.com/sbraconnier/jodconverter JODConverter. It provides a wrapper around the conversion functionality of Libreoffice. After contacting both the Libreoffice security team and the developer of JODConverter we figured out that it enables including external URLs by default.
-
New Gitjacker tool lets you find .git folders exposed online
A new open-source tool called Gitjacker can help developers discover when they've accidentally uploaded /.git folders online and have left sensitive information exposed to attackers. Gitjacker is available as a free download on Github.
-
Based on my post about KDE's anarchic organization and the micro-not-macro nature of my This Week in KDE series, you would be forgiven for having the impression that KDE is directionless and has no leadership or long-term planning capabilities. In fact the opposite is true, and I'd like to talk a bit about that today, since this information may not be obvious to users and the wider community. Now, since KDE is so vast, I can only provide my personal perspective based on the projects I'm most heavily involved in: the VDG, Plasma, and a few apps. [...] KDE doesn't lack for strategic long-term goals and direction, so I think that part can be pretty solidly marked as a success. As for tactical leadership and direction within and between individual projects, I also think things are pretty rosy overall. KDE's maintainer-led projects generally have excellent maintainers. The variety of KDE apps using this model model is a testament to how successful it can be with a high-quality maintainer–especially our professional-class apps like Krita. And in my opinion, KDE's council of elders projects also have very good leadership today
