Search-Lab Kft.

Analysis of WiFi-enabled ISP modems

Published on Wednesday, 20 July 2016 11:43

SEARCH-LAB Security Evaluation Analysis and Research Laboratory executed security evaluations of several Wi-Fi enabled ISP modems operated among others within UPC and Liberty Global networks:

• Ubee EVW3226, 1.0.20
• Technicolor TC7200, STD6.02.11
• Cisco EPC3925, ESIP-12-v302r125573-131230c_upc
• Hitron CGNV4, 4.3.9.9-SIP-UPC
• Compal CH7465LG-LC, CH7465LG-NCIP-4.50.18.13-NOSH

LG NAS N1A1 multiple vulnerabilities in Familycast

Published on Thursday, 19 May 2016 10:07

Access: unauthenticated remote access

Platforms / Firmware confirmed affected:

• LG NAS N1A1 Version 10119, 10/04/2012
• Product page: http://www.lg.com/us/support-product/lg-N1A1DD1

What is Familycast?

Familycast is a service running on top of the NAS. According to LG, Familycast is an: “LG SMART TV exclusive application which allows the user to easily access and share photos, music, videos and other data saved on the net hard with their family with the TV remote control from anywhere around the globe.”

Vulnerabilities

Insufficient function level access control

Although Familycast requires login, most of the PHP scripts in the Familycast service under the /familycast/interface/php/ folder did not perform any session check. So, every file shared via this service can be accessible remotely and other vulnerabilities can be exploited without authentication.

SQL injection in profile request

User profiles, which contain various IDs and relationship type, are requested by the Familycast manager after login. To obtain the profile data a proc_type and an id parameter should be sent in a POST request. From these parameters the id parameter is used in an SQL statement without sanitization, so SQL injection is possible. By exploiting this SQL injection an attacker can obtain the user names and password hashes of the Familycast service.

Arbitrary file up and download with directory traversal

The Familycast service contained a hidden simple uploader, which provides an easy way to upload or download any files from its folder.  Using directory traversal any system file can be accessed using this service.

Sensitive information in log files

The NAS logs every event into the /var/tmp/ui_script.log file along with the event parameters. The login events are also inserted into this file with the used password hash. Since the NAS login (not the Familycast) requires to send the password hash, the parameter from the log file can be used to login to the NAS without reversing the password.

POC

POC script is available to demonstrate the following problems [3]:

• Insufficient function level access control
• Arbitrary file up and download with directory traversal
• SQL Injection in Familycast
• Sensitive information in log files

Video demonstration is also available [1], which presents the above problems and how these can be combined to obtain admin access to the NAS.

Recommendations

Update the firmware to the latest version firmware-N1A1_10124rfke.zip from http://www.lg.com/us/support-product/lg-N1A1DD1. We also highly recommend not exposing the web interface of LG N1A1 NAS devices to the internet.

Credits

This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)

References

[1] https://www.search-lab.hu/advisories/113-secadv-20160519
[2] https://youtu.be/ppMOj-eK81Y
[3] https://github.com/ebux/LG-NAS-N1A1-vulnerabilities

WPA Supplicant configuration file injection vulnerability

Published on Tuesday, 10 May 2016 10:07

Internet of Things devices are supposed to be always connected to the Internet, meaning not just anytime-anywhere availability, but a continuous threat as well. As the Wi-Fi technology became part of everyday life with the protocol constantly evolving in the background. The open source project WPA Supplicant aims to cover the complete feature set of the various Wi-Fi standards and to offer an easy way to manage interface to integrators, therefore it became a popular choice for developers targeting embedded platforms.

Some unusual vulnerabilities in the PHP engine

Published on Friday, 22 January 2016 15:07

A few months ago we noticed strange error messages in the access.log of the PHP FastCGI Process Manager (FPM) engine we used for running one of our sites.

Android ADB backup APK injection vulnerability

Published on Wednesday, 08 July 2015 17:45

The Android operating system offers a backup/restore mechanism of installed packages through the ADB utility. Full backup of applications including the private files stored on /data partition is performed by default, but applications can customize this behaviour by implementing a BackupAgent class. This way they can feed the backup process with custom files and data.

Security vulnerability in LG’s Update Center application

Published on Monday, 29 June 2015 14:22

SEARCH-LAB Ltd discovered another security issue threatening LG Smart Phone users: malicious attackers controlling the network are able to install arbitrary applications on victim handsets.

37 million digitally signed documents had to be reverified

Published on Wednesday, 17 June 2015 15:07

In November 2014, SEARCH-LAB Ltd. discovered a security vulnerability in multiple computer applications that are used to generate and validate digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the „e-akta” signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.

More than fifty vulnerabilities discovered in D-Link NAS and NVR devices by SEARCH-LAB

Published on Wednesday, 27 May 2015 18:17

SEARCH-LAB performed an independent security assessment on four different D-Link devices. The assessment has identified altogether 53 unique vulnerabilities in the latest firmware (dated 30-07-2014). Several vulnerabilities can be abused by a remote attacker to execute arbitrary code and gain full control over the devices. See the security advisory for the details.

Vulnerabilities discovered in the Android Open Source Project by SEARCH-LAB

Published on Monday, 04 May 2015 15:06

SEARCH-LAB discovered several vulnerabilities in the Android Open Source Project end of last summer. They were responsible disclosed to the Android security team and now that the fixes are deployed, will be revelead for the public:

1. Android backup agent arbitrary code execution
The bindBackupAgent() method of the Android backup agent implementation was bound to an improper privilege, meaning shell user could call this function.
Combining this problem with a TOCTOU issue existing between PackageManager and ActivityManagerService, we successfully ran arbitrary code as the system user.

2. ADB backup archive path traversal file overwrite
The adb client can be used to create and restore backup archives. The archives are internally based on the TAR format popular in the Unix world.
SEARCH-LAB discovered that the restore implementation did not properly sanitize the filename fields coming from the TAR headers. By restoring a specially crafted ADB backup archive one could traverse the directory limitation and overwrite system files.
See the complete advisory for other requirements of this vulnerability.

3. MTP path traversal vulnerability in Android 4.4
The sever side implementation of MTP protocol running on the Android devices did not properly sanitize the filename field received in the MTP request.
By sending specially crafted MTP requests to the target Android device, one could traverse the intended directory restricion (eg. /sdcard) and upload files outside of it.

We also have one more vulnerability in this area, which we are going to publish on July 1, 2015 since Google still has not addressed it.

Serious security vulnerability discovered in LG Smart Phones by SEARCH-LAB

Published on Tuesday, 10 February 2015 12:55

A malicious attacker is able to bypass the authentication phase of the network communication, and thus establish a connection to the On Screen Phone application without the owner’s knowledge or consent. Once connected, the attacker could have full control over the phone – even without physical access to it. The attacker needs only access to the same local network as the phone is connected to, for example via Wi-Fi.