LogicalDOC 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation (ZSL-2018-5452)

Vulnerability Key Information Vulnerability Name: LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation Advisory ID: ZSL-2018-5452 Type: Local/Remote Impact: Privilege Escalation, System Access Risk: 4/5 Release Date: 11.02.2018 Summary LogicalDOC is a free document management system designed for organizing and sharing documents within an organization. LogicalDOC functions as a content repository with Lucene indexing, Activiti workflow, and a series of automated import processes. Description LogicalDOC contains multiple unauthenticated operating system command execution vulnerabilities caused by manipulating paths of numerous binary files within the package, particularly when modifying settings and their corresponding parameters. This can be exploited to perform local privilege escalation attacks and/or inject and execute arbitrary system commands as root or SYSTEM user, depending on the affected platform. Proof of Concept (PoC) logicaldoc_rce.txt Affected Versions 7.7.4 7.7.3 7.7.2 7.7.1 7.6.4 7.6.2 7.5.1 7.4.2 7.1.1 Test Platforms Microsoft Windows 10 Linux Ubuntu 16.04 Java 1.8.0_151 Apache-Coyote/1.1 Apache Tomcat/8.5.24 Apache Tomcat/8.5.13 Unspecified 8.41 Vendor Status [26.01.2018] Vulnerability discovered [30.01.2018] Vendor contacted [07.02.2018] Vendor unresponsive [08.02.2018] Vendor contacted again [10.02.2018] Vendor unresponsive [11.02.2018] Public security advisory released Discoverer Vulnerability discovered by Gjoko Krstic - References 1. https://www.exploit-db.com/exploits/44021/ 2. https://cxsecurity.com/issue/WLB-2018020150 3. https://exchange.xforce.ibmcloud.com/vulnerabilities/139089 4. https://packetstormsecurity.com/files/146354

Goal Reached Thanks to every supporter — we hit 100%!

LogicalDOC 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation (ZSL-2018-5452)