Access: unauthenticated remote accessPlatforms / Firmware confirmed affected:- LG NAS N1A1 Version 10119, 10/04/2012- Product page: http://ift.tt/1U1u2MvWhat is Familycast?-------------------Familycast is a service running on top of the NAS. According to LG,Familycast is an: ôLG SMART TV exclusive application which allows theuser to easily access and share photos, music, videos and other datasaved on the net hard with their family with the TV remote control fromanywhere around the globe.öVulnerabilities---------------Insufficient function level access controlAlthough Familycast requires login, most of the PHP scripts in theFamilycast service under the /familycast/interface/php/ folder did notperform any session check. So, every file shared via this service can beaccessible remotely and other vulnerabilities can be exploited withoutauthentication.SQL injection in profile requestUser profiles, which contain various IDs and relationship type, arerequested by the Familycast manager after login. To obtain the profiledata a proc_type and an id parameter should be sent in a POST request.From these parameters the id parameter is used in an SQL statementwithout sanitization, so SQL injection is possible. By exploiting thisSQL injection an attacker can obtain the user names and password hashesof the Familycast service.Arbitrary file up and download with directory traversalThe Familycast service contained a hidden simple uploader, whichprovides an easy way to upload or download any files from its folder.Using directory traversal any system file can be accessed using thisservice.Sensitive information in log filesThe NAS logs every event into the /var/tmp/ui_script.log file along withthe event parameters. The login events are also inserted into this filewith the used password hash. Since the NAS login (not the Familycast)requires to send the password hash, the parameter from the log file canbe used to login to the NAS without reversing the password.POC---POC script is available to demonstrate the following problems [3]:- Insufficient function level access control- Arbitrary file up and download with directory traversal- SQL Injection in Familycast- Sensitive information in log filesVideo demonstration is also available [1], which presents the aboveproblems and how these can be combined to obtain admin access to the NAS.Recommendations---------------Update the firmware to the latest version firmware-N1A1_10124rfke.zipfrom http://ift.tt/1U1u2Mv. We also highlyrecommend not exposing the web interface of LG N1A1 NAS devices to theinternet.Credits-------This vulnerability was discovered and researched by Gergely Eberhardtfrom SEARCH-LAB Ltd. (www.search-lab.hu)References----------[1] http://ift.tt/1OOrZiM[2] https://youtu.be/ppMOj-eK81Y[3] http://ift.tt/1OBkRkj[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1rW9v5v
Access: unauthenticated remote access
Platforms / Firmware confirmed affected:
- LG NAS N1A1 Version 10119, 10/04/2012
- Product page: http://ift.tt/1U1u2Mv
What is Familycast?
-------------------
Familycast is a service running on top of the NAS. According to LG,
Familycast is an: ôLG SMART TV exclusive application which allows the
user to easily access and share photos, music, videos and other data
saved on the net hard with their family with the TV remote control from
anywhere around the globe.ö
Vulnerabilities
---------------
Insufficient function level access control
Although Familycast requires login, most of the PHP scripts in the
Familycast service under the /familycast/interface/php/ folder did not
perform any session check. So, every file shared via this service can be
accessible remotely and other vulnerabilities can be exploited without
authentication.
SQL injection in profile request
User profiles, which contain various IDs and relationship type, are
requested by the Familycast manager after login. To obtain the profile
data a proc_type and an id parameter should be sent in a POST request.
From these parameters the id parameter is used in an SQL statement
without sanitization, so SQL injection is possible. By exploiting this
SQL injection an attacker can obtain the user names and password hashes
of the Familycast service.
Arbitrary file up and download with directory traversal
The Familycast service contained a hidden simple uploader, which
provides an easy way to upload or download any files from its folder.
Using directory traversal any system file can be accessed using this
service.
Sensitive information in log files
The NAS logs every event into the /var/tmp/ui_script.log file along with
the event parameters. The login events are also inserted into this file
with the used password hash. Since the NAS login (not the Familycast)
requires to send the password hash, the parameter from the log file can
be used to login to the NAS without reversing the password.
POC
---
POC script is available to demonstrate the following problems [3]:
- Insufficient function level access control
- Arbitrary file up and download with directory traversal
- SQL Injection in Familycast
- Sensitive information in log files
Video demonstration is also available [1], which presents the above
problems and how these can be combined to obtain admin access to the NAS.
Recommendations
---------------
Update the firmware to the latest version firmware-N1A1_10124rfke.zip
from http://ift.tt/1U1u2Mv. We also highly
recommend not exposing the web interface of LG N1A1 NAS devices to the
internet.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1] http://ift.tt/1OOrZiM
[2] https://youtu.be/ppMOj-eK81Y
[3] http://ift.tt/1OBkRkj
[ reply ]