LG PC Suite Insecure Update Mechanism

A vulnerability inside the update mechanism was identified which allows an attacker to remotely execute arbitrary code on the target system.

Vendor  LG, www.lg.com
Affected Products  LG PC Suite for Windows
Affected Versions  <= (Build 18212)
CVE ID  n/a
OVE ID OVE-20161010-0007
Severity  High 
Author  Benjamin Gnahm (@mitp0sh), Blue Frost Security GmbH 

I. Impact

If an attacker is located within the same network as the LG PC Suite installation a man-in-the-middle attack can be performed to manipulate the update mechanism of the LG PC Suite. Through the manipulation of files transmitted over HTTP an attacker can force the execution of arbitrary code with privileges of the current user on the target system. User interaction is not required.

II. Technical Details

The update mechanism included in the LG PC Suite mobile synchronization client  is vulnerable to a man-in-the-middle (MITM) attack. Updates are fetched over HTTP without any protection an thus allow an attacker to manipulate the update process.

An update check is performed on every start of the LG PC Suite software. The updater sends a HTTP request to the host csmg.lgmobile.com which will respond with a XML document describing the latest version of the software.

An excerpt from the response can be found below:

<?xml version='1.0' encoding='utf-8'?>
<response req_cmd='pcsync_ftp_commondll_list' status='OK'>

The updater will first check if a new version of the P5_LGPsLvDl.dll file is available by checking the version number in the <sw_version> element. If that version is higher than the currently installed one, the updater will fetch the new DLL file from the specified URL and immediately load it into the LG PC Suite process.

An attacker can manipulate the XML response by performing a MITM attack and thus force the loading of a malicious DLL file in the updater process on the target system as soon as the software is performing an update check. The injected code will run with the privileges of the currently logged on user.

III. Mitigation

LG states that no patch will be provided for the described vulnerability due to the fact that the LG PC Suite reached the end of its product life cycle. Nevertheless for users which are forced to continue using the application the issue can be mitigated by disabling the update manually. A new entry to the Windows hosts file can be added for the host name csmg.lgmobile.com pointing to the IP address

IV. Disclosure Timeline


Contacted lgsecurity@lge.com due to lack of better contact and requested contact information to start the disclosure process


After some failed contact requests we were able to submit the advisory

2016-07-12 LG requests more time before publishing the advisory

LG informs us that the product will enter the end of its product life cycle and thus the reported issue will most likely not be fixed

2016-08-27 Received confirmation that no fix will be provided


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact research@bluefrostsecurity.de for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages.

Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of use apply.