LG NAS N1A1 multiple vulnerabilities in Familycast
Access: unauthenticated remote access
Platforms / Firmware confirmed affected:
- LG NAS N1A1 Version 10119, 10/04/2012
- Product page: http://www.lg.com/us/support-product/lg-N1A1DD1
What is Familycast?
Familycast is a service running on top of the NAS. According to LG, Familycast is an: “LG SMART TV exclusive application which allows the user to easily access and share photos, music, videos and other data saved on the net hard with their family with the TV remote control from anywhere around the globe.”
Vulnerabilities
Insufficient function level access control
Although Familycast requires login, most of the PHP scripts in the Familycast service under the /familycast/interface/php/ folder did not perform any session check. So, every file shared via this service can be accessible remotely and other vulnerabilities can be exploited without authentication.
SQL injection in profile request
User profiles, which contain various IDs and relationship type, are requested by the Familycast manager after login. To obtain the profile data a proc_type and an id parameter should be sent in a POST request. From these parameters the id parameter is used in an SQL statement without sanitization, so SQL injection is possible. By exploiting this SQL injection an attacker can obtain the user names and password hashes of the Familycast service.
Arbitrary file up and download with directory traversal
The Familycast service contained a hidden simple uploader, which provides an easy way to upload or download any files from its folder. Using directory traversal any system file can be accessed using this service.
Sensitive information in log files
The NAS logs every event into the /var/tmp/ui_script.log file along with the event parameters. The login events are also inserted into this file with the used password hash. Since the NAS login (not the Familycast) requires to send the password hash, the parameter from the log file can be used to login to the NAS without reversing the password.
POC
POC script is available to demonstrate the following problems [3]:
- Insufficient function level access control
- Arbitrary file up and download with directory traversal
- SQL Injection in Familycast
- Sensitive information in log files
Video demonstration is also available [1], which presents the above problems and how these can be combined to obtain admin access to the NAS.
Recommendations
Update the firmware to the latest version firmware-N1A1_10124rfke.zip from http://www.lg.com/us/support-product/lg-N1A1DD1. We also highly recommend not exposing the web interface of LG N1A1 NAS devices to the internet.
Credits
This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)
References
[1] https://www.search-lab.hu/advisories/113-secadv-20160519
[2] https://youtu.be/ppMOj-eK81Y
[3] https://github.com/ebux/LG-NAS-N1A1-vulnerabilities