LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation

Title: LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation
Advisory ID: ZSL-2018-5452
Type: Local/Remote
Impact: Privilege Escalation, System Access
Risk: (4/5)
Release Date: 11.02.2018
Summary
LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.
Description
LogicalDOC suffers from multiple authenticated OS command execution vulnerabilities by manipulating the path of the many binaries included in the package when changing the settings with their respected arguments. This can be exploited to execute local root privilege escalation attack and/or inject and execute arbitrary system commands as the root or SYSTEM user depending on the platform affected.
Vendor
LogicalDOC Srl - https://www.logicaldoc.com
Affected Version
7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Tested On
Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41
Vendor Status
[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.
PoC
logicaldoc_rce.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/44021/
[2] https://cxsecurity.com/issue/WLB-2018020150
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/139089
[4] https://packetstormsecurity.com/files/146354
Changelog
[11.02.2018] - Initial release
[21.02.2018] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk