LG network: How can attackers use preauthenticated commands?

A critical vulnerability was found in some of the most recent LG Electronics network-attached storage devices, and it enables an attacker to gain access to the devices and the LG network using a preauthenticated remote command injection vulnerability. What is this vulnerability and how can attackers exploit these preauthenticated commands?

An attacker can log into many models of LG network-attached storage (NAS) devices and create new user credentials to gain full remote access to the NAS device. The vulnerability enables an attack using a valid username in an injected command that is accepted by the LG network even if the attacker uses an invalid password.

Researchers at VpnMentor used this vulnerability to write a persistent command injection shell file in PHP, execute it after it was delivered to the NAS, and demonstrate a proof of concept for an attack that exploits the vulnerability to create a new set of login credentials for the system in four steps.

1. Enter the shell upload injection command as:

;echo "" > /tmp/x2;sudo mv /tmp/x2 /var/www/c.php

The shell script is written to the device in the file c.php. This script initiates a shell that can accept system commands.

The sudo command asks for the current user's password and then moves /tmp/x2 files to the shell. This is where the command injection vulnerability is exploited, as vulnerable NAS devices will accept any password here.

2. Dump a full list of all NAS users by entering this command:

echo ".dump user" | sqlite3 /etc/nas/db/share.db

The vulnerable devices use sqlite3, an interface for SQLite database, which in this case is named share.db. This command enables the attacker to read all the username and password hashes in plain text so the attackers can choose a new and unique username to add to the database.

3. Generate a password hash for the new user password -- in this case, the new password is 1234 -- by entering:

sudo nas-common md5 1234]

This command creates an MD5 hash of the password 1234. The MD5 hashing algorithm returns a 128-bit hash value in text format as a 32-digit hexadecimal number.

4. Add the new user to the database by entering the following command:

INSERT INTO User VALUES ('test','md5_hash', 'Vuln Test', 'test@localhost','')

The credentials are then added to the User table using the default columns. The INSERT command will accept valid usernames and passwords in the first two columns. However, it should be noted that md5_hash is a reference to the 128-bit value of the password hash.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)