← Advisories

LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation

High
Advisory ID
ZSL-2018-5452
Release Date
11 February 2018
Vendor
LogicalDOC Srl - https://www.logicaldoc.com
Affected Version
7.7.4, 7.7.3, 7.7.2, 7.7.1, 7.6.4, 7.6.2, 7.5.1, 7.4.2, 7.1.1
CVE
CVE-2019-25257
Tested On
Microsoft Windows 10, Linux Ubuntu 16.04, Java 1.8.0_161, Apache-Coyote/1.1, Apache Tomcat/8.5.24, Apache Tomcat/8.5.13, Undisclosed 8.41
Summary

LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.

Description

LogicalDOC suffers from multiple authenticated OS command execution vulnerabilities by manipulating the path of the many binaries included in the package when changing the settings with their respected arguments. This can be exploited to execute local root privilege escalation attack and/or inject and execute arbitrary system commands as the root or SYSTEM user depending on the platform affected.

Proof of Concept
logicaldoc_rce.txtTXT
Disclosure Timeline
26.01.2018Vulnerabilities discovered.
30.01.2018Vendor contacted.
07.02.2018No response from the vendor.
08.02.2018Vendor contacted again.
10.02.2018No response from the vendor.
11.02.2018Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/44021/
[2]https://cxsecurity.com/issue/WLB-2018020150
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/139089
[4]https://packetstormsecurity.com/files/146354
[5]https://www.cve.org/CVERecord?id=CVE-2019-25257
Changelog
11.02.2018Initial release
21.02.2018Added reference [1], [2], [3] and [4]
23.03.2026Added reference [5]