Access: unauthenticated remote access Platforms / Firmware confirmed affected: - LG NAS N1A1 Version 10119, 10/04/2012 - Product page: http://www.lg.com/us/support-product/lg-N1A1DD1 What is Familycast? ------------------- Familycast is a service running on top of the NAS. According to LG, Familycast is an: ôLG SMART TV exclusive application which allows the user to easily access and share photos, music, videos and other data saved on the net hard with their family with the TV remote control from anywhere around the globe.ö Vulnerabilities --------------- Insufficient function level access control Although Familycast requires login, most of the PHP scripts in the Familycast service under the /familycast/interface/php/ folder did not perform any session check. So, every file shared via this service can be accessible remotely and other vulnerabilities can be exploited without authentication. SQL injection in profile request User profiles, which contain various IDs and relationship type, are requested by the Familycast manager after login. To obtain the profile data a proc_type and an id parameter should be sent in a POST request. >From these parameters the id parameter is used in an SQL statement without sanitization, so SQL injection is possible. By exploiting this SQL injection an attacker can obtain the user names and password hashes of the Familycast service. Arbitrary file up and download with directory traversal The Familycast service contained a hidden simple uploader, which provides an easy way to upload or download any files from its folder. Using directory traversal any system file can be accessed using this service. Sensitive information in log files The NAS logs every event into the /var/tmp/ui_script.log file along with the event parameters. The login events are also inserted into this file with the used password hash. Since the NAS login (not the Familycast) requires to send the password hash, the parameter from the log file can be used to login to the NAS without reversing the password. POC --- POC script is available to demonstrate the following problems [3]: - Insufficient function level access control - Arbitrary file up and download with directory traversal - SQL Injection in Familycast - Sensitive information in log files Video demonstration is also available [1], which presents the above problems and how these can be combined to obtain admin access to the NAS. Recommendations --------------- Update the firmware to the latest version firmware-N1A1_10124rfke.zip from http://www.lg.com/us/support-product/lg-N1A1DD1. We also highly recommend not exposing the web interface of LG N1A1 NAS devices to the internet. Credits ------- This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References ---------- [1] http://www.search-lab.hu/advisories/113-secadv-20160519 [2] https://youtu.be/ppMOj-eK81Y [3] https://github.com/ebux/LG-NAS-N1A1-vulnerabilities