CVE-2020-27603 PoC — BigBlueButton 安全漏洞

Source

https://github.com/hannob/CVE-2020-27603-bbb-libreoffice-poc

Associated Vulnerability

Title:BigBlueButton 安全漏洞 (CVE-2020-27603)
Description:BigBlueButton是BigBlueButton社区的一套开源的Web会议系统。 Greenlight BigBlueButton 2.2.7之前版本存在安全漏洞，该漏洞源于有一个不安全的JODConverter设置，在这个设置中，LibreOffice文档转换可以访问外部文件。

Description

Proof of Concept of Libreoffice file exfiltration vulnerability in Big Blue Button

Readme

# CVE-2020-27603-bbb-libreoffice-poc
Proof of Concept of Libreoffice file exfiltration vulnerability in Big Blue Button

These ODT files show how to exploit a file exfiltration vulnerability that can happen
with server-side Libreoffice rendering, e.g. BigBlueButton.

Background:
* https://blog.hboeck.de/archives/902-File-Exfiltration-via-Libreoffice-in-BigBlueButton-and-JODConverter.html
* https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html

File Snapshot


 [4.0K]  /data/pocs/913e65cfcbc80de3b907f51f1e1fb28639e97696
├── [1.8K]  exfil-etc-passwd.odt
├── [1.8K]  exfil-etc-shadow.odt
├── [1.9K]  exfil-secret-bigbluebutton.odt
├── [6.9K]  LICENSE
└── [ 486]  README.md

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!