cbcvebase.
CVE-2023-40504
published 2024-05-03

CVE-2023-40504: LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.76%
99.7th percentile
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. . Was ZDI-CAN-19953.

Affected

2 ranges
VendorProductVersion rangeFixed in
lgsimple_editor
lgsimple_editor

Detection & IOCsextracted from sources · hover to see the quote

url/simpleeditor/common/commonReleaseNotes.do
url/simpleeditor/imageManager/uploadVideo.do
url/simpleeditor/fileSystem/makeDetailContent.do
command/"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../"
path/simpleeditor/
othericon_hash="159985907"
  • The exploit chain involves three sequential unauthenticated HTTP requests: (1) GET to /simpleeditor/common/commonReleaseNotes.do to fingerprint the target, (2) POST to /simpleeditor/imageManager/uploadVideo.do with injected uploadPath, (3) POST to /simpleeditor/fileSystem/makeDetailContent.do to copy/rename the uploaded file to a .jsp webshell.
  • The injected uploadPath value uses Windows cmd chaining (& delimiters) to traverse directories and execute arbitrary commands as NT AUTHORITY\SYSTEM — look for uploadPath values containing &cmd& or similar shell metacharacters in multipart POST bodies.
  • After upload, the attacker calls /simpleeditor/fileSystem/makeDetailContent.do with a JSON body using the 'cp' command to rename the uploaded .bmp to a .jsp file, creating a webshell accessible at /simpleeditor/<filename>.jsp.
  • Presence of a .jsp file under the /simpleeditor/ web root that was recently created via the makeDetailContent.do copy operation may indicate successful exploitation.
  • No authentication is required to exploit this vulnerability; any unauthenticated POST to the affected endpoints should be treated as suspicious.
  • ·The vulnerability affects LG Simple Editor versions up to and including v3.21.0 only; later versions are not confirmed vulnerable.
  • ·Exploitation executes commands in the context of NT AUTHORITY\SYSTEM (Windows), so detections should be scoped to Windows-hosted deployments of LG Simple Editor.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.