Landray Office Automation Remote Code Execution Scanner

Landray Office Automation (OA) is an enterprise software used by organizations to streamline and automate their internal office tasks and communication processes. It is mainly utilized by medium to large-sized companies looking for efficient software to manage documents, workflows, and collaboration. The software is designed to enhance productivity and integration across various office departments, including HR, finance, and administration. It offers features like task management, document storage, and team collaboration tools, making it appealing to enterprises seeking digitization of their traditional office processes. Landray OA is widely adopted in industries looking for tailored solutions for office automation specific to their organizational needs. The product's comprehensive suite of tools aims to deliver a one-stop solution for office administration.

A Remote Code Execution (RCE) vulnerability allows an attacker to execute arbitrary code on a remote system. It is a critical security issue, typically exploited over a network by sending crafted requests to a vulnerable component of the software. RCE vulnerabilities can lead to full system control, allowing attackers to access sensitive data, install malware, or disrupt operations. The vulnerability can be leveraged without requiring local access or authentication, making it highly dangerous if unmitigated. Often, these vulnerabilities arise due to improper input validation or unsafe handling of user input. Protecting against RCE vulnerabilities is crucial to maintain the security and integrity of information systems and networks.

The technical aspect of this vulnerability lies in the "s_bean" component's "sysFormulaSimulateByJS" functionality. Specifically, the vulnerability can be triggered by crafting a GET request to the /data/sys-common/datajson.js endpoint with malicious script parameters. This endpoint is supposed to handle certain automation functionalities, but improperly filters input, allowing the execution of arbitrary JavaScript code. The query parameter "script" is exploited, enabling attackers to deliver payloads that execute system-level commands. A successful exploitation leads to retrieving execution results through a crafted request response. The presence of status_code 200 and specific response content indicates a successful vulnerability trigger in this context.

When exploited, this RCE vulnerability can result in severe consequences, including the compromise of the entire system. Attackers might gain unauthorized access to sensitive data, change configurations, or deploy additional payloads such as ransomware or other malware. The integrity and confidentiality of the data stored and processed by Landray Office Automation could be jeopardized. Furthermore, the exploitation could disrupt business operations, leading to potential downtime and financial losses. Access to confidential organizational information could also lead to identity theft or strategic business disadvantages if competitive or proprietary data is accessed.

REFERENCES

• https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py
• https://github.com/hktalent/scan4all/blob/main/pocs_go/landray/Landray_RCE.go
• https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/landray-oa-datajson-rce.yaml