Vendor | LG, www.lg.com |
Affected Products | LG PC Suite for Windows |
Affected Versions | <= 5.3.25.20150529 (Build 18212) |
CVE ID | n/a |
OVE ID | OVE-20161010-0007 |
Severity | High |
Author | Benjamin Gnahm (@mitp0sh), Blue Frost Security GmbH |
I. Impact
If an attacker is located within the same network as the LG PC Suite installation a man-in-the-middle attack can be performed to manipulate the update mechanism of the LG PC Suite. Through the manipulation of files transmitted over HTTP an attacker can force the execution of arbitrary code with privileges of the current user on the target system. User interaction is not required.
II. Technical Details
The update mechanism included in the LG PC Suite mobile synchronization client is vulnerable to a man-in-the-middle (MITM) attack. Updates are fetched over HTTP without any protection an thus allow an attacker to manipulate the update process.
An update check is performed on every start of the LG PC Suite software. The updater sends a HTTP request to the host csmg.lgmobile.com which will respond with a XML document describing the latest version of the software.
An excerpt from the response can be found below:
<?xml version='1.0' encoding='utf-8'?>
<response req_cmd='pcsync_ftp_commondll_list' status='OK'>
<pcsync_ftp_commondll_list>
[...]
<sw_version>P5_CSMGDLL_1.1.12.2</sw_version>
<global_uri>http://tool.lime.gdms.lge.com/swdata/MOBILESYNC/GO/P5_CSMGDLL_1.1.12.0/P5_LGPsLvDl.dll</global_uri>
<cyon_uri>http://tool.lime.gdms.lge.com/swdata/MOBILESYNC/GO/P5_CSMGDLL_1.1.12.0/P5_LGPsLvDl.dll</cyon_uri>
<kic_uri></kic_uri>
<aic_uri></aic_uri>
<cic_uri></cic_uri>
<eic_uri></eic_uri>
[...]
</pcsync_ftp_commondll_list>
</response>
The updater will first check if a new version of the P5_LGPsLvDl.dll file is available by checking the version number in the <sw_version> element. If that version is higher than the currently installed one, the updater will fetch the new DLL file from the specified URL and immediately load it into the LG PC Suite process.
An attacker can manipulate the XML response by performing a MITM attack and thus force the loading of a malicious DLL file in the updater process on the target system as soon as the software is performing an update check. The injected code will run with the privileges of the currently logged on user.
III. Mitigation
LG states that no patch will be provided for the described vulnerability due to the fact that the LG PC Suite reached the end of its product life cycle. Nevertheless for users which are forced to continue using the application the issue can be mitigated by disabling the update manually. A new entry to the Windows hosts file can be added for the host name csmg.lgmobile.com pointing to the IP address 127.0.0.1.
IV. Disclosure Timeline
2016-04-25 |
Contacted lgsecurity@lge.com due to lack of better contact and requested contact information to start the disclosure process |
2016-06-06 |
After some failed contact requests we were able to submit the advisory |
2016-07-12 | LG requests more time before publishing the advisory |
2016-07-24 |
LG informs us that the product will enter the end of its product life cycle and thus the reported issue will most likely not be fixed |
2016-08-27 | Received confirmation that no fix will be provided |
Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact research@bluefrostsecurity.de for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages.
Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of use apply.