Critical bugs in LG TVs could allow complete device takeover

A handful of bugs in LG smart TVs running WebOS could allow an attacker to bypass authorization and gain root access on the device.

Once they have gained root, your TV essentially belongs to the intruder who can use that access to do all sorts of nefarious things including moving laterally through your home network, dropping malware, using the device as part of a botnet, spying on you — or at the very least severely screwing up your streaming service algorithms.

Bitdefender Labs researcher Alexandru Lazăr spotted the four vulnerabilities that affect WebOS versions 4 through 7. In an analysis published today, the security firm noted that while the vulnerable service is only intended for LAN access, more than 91,000 devices are exposed to the internet, according to a Shodan scan.

Here’s a look at the four flaws:

  • CVE-2023-6317: a PIN/prompt bypass that allows an attacker to set a variable and add a new user account to the TV without requiring a security PIN. It has a CVSS rating of 7.2.
  • CVE-2023-6318: a critical command injection flaw with a 9.1 CVSS rating that allows an attacker to elevate an initial access to root-level privileges and take over the TV.
  • CVE-2023-6319: another 9.1-rated command injection vulnerability that can be triggered by manipulating the music-lyrics library.
  • CVE-2023-6320: a critical command injection vulnerability that can be triggered by manipulating an API endpoint to allow execution of commands on the device as dbus, which has similar permissions as root. It also received a 9.1 CVSS score.

In order to abuse any of the command injection flaws, however, the attacker must first exploit CVE-2023-6317. This issue is down to WebOS running a service on ports 3000/3001 that allows users to control their TV on their smartphone using a PIN. But, there’s a bug in the account handler function that sometimes allows skipping the PIN verification:

The function that handles account registration requests uses a variable called skipPrompt which is set to true when either the client-key or the companion-client-key parameters correspond to an existing profile. It also takes into consideration what permissions are requested when deciding whether to prompt the user for a PIN, as confirmation is not required in some cases.

After creating an account with no permissions, an attacker can then request a new account with elevated privileges “but we specify the companion-client-key variable to match the key we got when we created the first account,” the team reports.

The server confirms that the key exists, but doesn’t verify which account it belongs to, we’re told. “Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV,” the team reports

And then, after creating this account with elevated privileges, an attacker can use that access to exploit the other three flaws that lead to root access or command execution as the dbus user.

Lazăr responsibly reported the flaws to LG on November 1, 2023, and LG asked for a time extension to fix them. The electronics giant issued patches on March 22. It’s a good idea to check your TV for software updates and apply the WebOS patch now.

Source: Critical bugs in LG TVs could allow complete device takeover

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft