Title: LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation
Advisory ID: ZSL-2018-5452
Type: Local/Remote
Impact: Privilege Escalation, System Access
Risk: (4/5)
Release Date: 11.02.2018

Summary

LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.

Description

LogicalDOC suffers from multiple authenticated OS command execution vulnerabilities by manipulating the path of the many binaries included in the package when changing the settings with their respected arguments. This can be exploited to execute local root privilege escalation attack and/or inject and execute arbitrary system commands as the root or SYSTEM user depending on the platform affected.

Vendor

LogicalDOC Srl - https://www.logicaldoc.com

Affected Version

7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1

Tested On

Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41

Vendor Status

[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.

PoC

logicaldoc_rce.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/44021/
[2] https://cxsecurity.com/issue/WLB-2018020150
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/139089
[4] https://packetstormsecurity.com/files/146354

Changelog

[11.02.2018] - Initial release
[21.02.2018] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk