[SEARCH-LAB advisory] LG NAS N1A1 multiple vulnerabilities in- Familycast

From: Gergely Eberhardt <gergely.eberhardt@search-lab.hu>
To: bugtraq@securityfocus.com
Subject: [SEARCH-LAB advisory] LG NAS N1A1 multiple vulnerabilities in- Familycast

Access: unauthenticated remote access

Platforms / Firmware confirmed affected:
- LG NAS N1A1 Version 10119, 10/04/2012
- Product page: http://www.lg.com/us/support-product/lg-N1A1DD1

What is Familycast?
Familycast is a service running on top of the NAS. According to LG,
Familycast is an: ôLG SMART TV exclusive application which allows the
user to easily access and share photos, music, videos and other data
saved on the net hard with their family with the TV remote control from
anywhere around the globe.ö

Insufficient function level access control
Although Familycast requires login, most of the PHP scripts in the
Familycast service under the /familycast/interface/php/ folder did not
perform any session check. So, every file shared via this service can be
accessible remotely and other vulnerabilities can be exploited without

SQL injection in profile request
User profiles, which contain various IDs and relationship type, are
requested by the Familycast manager after login. To obtain the profile
data a proc_type and an id parameter should be sent in a POST request.
From these parameters the id parameter is used in an SQL statement
without sanitization, so SQL injection is possible. By exploiting this
SQL injection an attacker can obtain the user names and password hashes
of the Familycast service.

Arbitrary file up and download with directory traversal
The Familycast service contained a hidden simple uploader, which
provides an easy way to upload or download any files from its folder. 
Using directory traversal any system file can be accessed using this

Sensitive information in log files
The NAS logs every event into the /var/tmp/ui_script.log file along with
the event parameters. The login events are also inserted into this file
with the used password hash. Since the NAS login (not the Familycast)
requires to send the password hash, the parameter from the log file can
be used to login to the NAS without reversing the password.

POC script is available to demonstrate the following problems [3]:
- Insufficient function level access control
- Arbitrary file up and download with directory traversal
- SQL Injection in Familycast
- Sensitive information in log files

Video demonstration is also available [1], which presents the above
problems and how these can be combined to obtain admin access to the NAS.

Update the firmware to the latest version firmware-N1A1_10124rfke.zip
from http://www.lg.com/us/support-product/lg-N1A1DD1. We also highly
recommend not exposing the web interface of LG N1A1 NAS devices to the

This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)

[1] http://www.search-lab.hu/advisories/113-secadv-20160519
[2] https://youtu.be/ppMOj-eK81Y
[3] https://github.com/ebux/LG-NAS-N1A1-vulnerabilities

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.