Bugtraq: [SEARCH-LAB advisory] LG NAS N1A1 multiple vulnerabilities in Familycast

Access: unauthenticated remote access

Platforms / Firmware confirmed affected:

- LG NAS N1A1 Version 10119, 10/04/2012

- Product page: http://ift.tt/1U1u2Mv

What is Familycast?

-------------------

Familycast is a service running on top of the NAS. According to LG,

Familycast is an: ôLG SMART TV exclusive application which allows the

user to easily access and share photos, music, videos and other data

saved on the net hard with their family with the TV remote control from

anywhere around the globe.ö

Vulnerabilities

---------------

Insufficient function level access control

Although Familycast requires login, most of the PHP scripts in the

Familycast service under the /familycast/interface/php/ folder did not

perform any session check. So, every file shared via this service can be

accessible remotely and other vulnerabilities can be exploited without

authentication.

SQL injection in profile request

User profiles, which contain various IDs and relationship type, are

requested by the Familycast manager after login. To obtain the profile

data a proc_type and an id parameter should be sent in a POST request.

From these parameters the id parameter is used in an SQL statement

without sanitization, so SQL injection is possible. By exploiting this

SQL injection an attacker can obtain the user names and password hashes

of the Familycast service.

Arbitrary file up and download with directory traversal

The Familycast service contained a hidden simple uploader, which

provides an easy way to upload or download any files from its folder.

Using directory traversal any system file can be accessed using this

service.

Sensitive information in log files

The NAS logs every event into the /var/tmp/ui_script.log file along with

the event parameters. The login events are also inserted into this file

with the used password hash. Since the NAS login (not the Familycast)

requires to send the password hash, the parameter from the log file can

be used to login to the NAS without reversing the password.

POC

---

POC script is available to demonstrate the following problems [3]:

- Insufficient function level access control

- Arbitrary file up and download with directory traversal

- SQL Injection in Familycast

- Sensitive information in log files

Video demonstration is also available [1], which presents the above

problems and how these can be combined to obtain admin access to the NAS.

Recommendations

---------------

Update the firmware to the latest version firmware-N1A1_10124rfke.zip

from http://ift.tt/1U1u2Mv. We also highly

recommend not exposing the web interface of LG N1A1 NAS devices to the

internet.

Credits

-------

This vulnerability was discovered and researched by Gergely Eberhardt

from SEARCH-LAB Ltd. (www.search-lab.hu)

References

----------

[1] http://ift.tt/1OOrZiM

[2] https://youtu.be/ppMOj-eK81Y

[3] http://ift.tt/1OBkRkj

[ reply ]


from SecurityFocus Vulnerabilities http://ift.tt/1rW9v5v