CVE-2023-4615: LG LED Assistant Vulnerability Discloses Sensitive User Information Remotely

A newly discovered vulnerability (CVE-2023-4615) present in LG LED Assistant software could potentially allow remote attackers to disclose sensitive user information from affected installations. In this post, we will have a closer look at this vulnerability and the specifics of how it occurs. Authentication is not required to exploit this vulnerability, making it a high risk for users who have not applied the necessary patches.

Description

The vulnerability exists within the /api/download/updateFile endpoint. The lack of proper validation of user-supplied paths before using them in file operations results in the potential for an attacker to leverage this flaw to their advantage and disclose information in the context of the current user.

Even though LG has already patched this vulnerability, those who have not updated their LG LED Assistant software are definitely at risk.

Code Snippet

The following code snippet demonstrates how the vulnerable endpoint (/api/download/updateFile) is affected by the lack of proper validation of the user-supplied path:

router.get('/api/download/updateFile', async (req, res) => {
    const filePath = req.query.path;
    res.download(filePath, path.basename(filePath));
});

As seen in the code snippet above, the filePath is retrieved from the user's query parameter, and it is not validated before being used in the res.download function.

Exploit Details

An attacker can exploit this vulnerability by crafting a URL with a malicious query string that points to a sensitive file, which will be sent to the vulnerable endpoint /api/download/updateFile. As a result, the sensitive file will be downloaded and the attacker will gain access to the disclosed information.

Here is a sample URL exploiting the vulnerability

http://vulnerable_url/api/download/updateFile?path=../../../../../../etc/passwd

With this URL, the attacker attempts to download the /etc/passwd file (a pseudo-database containing user account information) from the vulnerable server.

Original References

1. National Vulnerability Database - CVE-2023-4615
2. LG_security_advisory - LG LED Assistant Sensitive Information Disclosure

Mitigation

In order to mitigate this vulnerability, users should update their LG LED Assistant software to the latest version, which includes a fix for the vulnerability. Moreover, developers should ensure they are validating all user-supplied input appropriately and avoid using unsafe methods that may lead to vulnerabilities.

Timeline

Published on: 09/04/2023 11:15:00 UTC
Last modified on: 09/08/2023 14:14:00 UTC