VnutZ Domain
Copyright © 1996 - 2017 [Matthew Vea] - All Rights Reserved

2012-04-27
Featured Article

LG BX580 Remote Accessibility

[index] [1,350 page views]

So awhile back, I bought one of these LG BX580 BluRay players because I wanted to simplify my media experience with an all-in-one disc/network player. I really didn’t think anything of it since the player did exactly what it was supposed to do. But in light of recent articles bringing up the inherent security risks associated with appliances – government console hacking, firmware attacks on printers and TV hacking – I decided to take a quick look at the device. First task, the ever classic nmap scan:

Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-26 22:15 EDT
Nmap scan report for 192.168.1.10
Host is up (0.058s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2 (rpc #100000)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE (using port 139/tcp)
HOP RTT     ADDRESS
1   5.57 ms 192.168.1.10

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds

WTF!? Seriously? Why does a BluRay player need to have an externally accessible RPC port open? RPC isn’t a feature necessary for the player to reach out on the network to stream NetFlix, access GraceNote or really provide any sort of network enabled media experience. RPC is “designed for network programming, allowing a program to make a subroutine call on a remote machine.”

Second task, run an rpcinfo query against the portmapper service to reveal what is running. Although most network protocols can be found running on the well known ports, the portmapper allows them to move around and be queried dynamically.

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

   program 100000 version 2 ready and waiting

This information was pretty much the same as that produced by running Nessus 5, which was the third task. The variety of tests within the Nessus Scanner corroborated the LG BX580 was running Linux Kernel 2.6 and also produced information on the portmapper. The Nessus scan did not reveal any issues with the portmapper but did reference the NIST’s advice on ensuring a proper configuration of the service. Fortunately, the only vulnerability identified by Nessus was EtherLeak where buffers get reused allowing portions of system memory to slowly be gleaned remotely (and by remote one must be on the same physical ethernet). Although not a vulnerability, the system also responded to ICMP timestamp requests and TCP timestamps (RFC 1323). Also relatively innocuous in nature but it would allow a remote entity to determine how long you’ve been using the device.

So while there do not appear to be any blatant security holes, at the moment, it would definitely appear to be a poor implementation and could potentially pose a security ingress vector for a private home network. Futhermore, this does not prove the LG device does not activate further daemons publicly or register additional RPC programs them with the portmapper later on which may be openly exploitable. Now I need to capture all the packets from the device over time to figure out what else it does and whether there is any unwanted, inbound traffic.

Thanks LG … so lame.


More VnutZ.com Content You Might Be Interested In Reading:

Perhaps "come at me bro" isn't the wisest course of action?

Or try your hand at fate - use the Pattern Analysis of the MegaMillions Lottery or the Pattern Analysis of the PowerBall Lottery page to pick "smarter" numbers. Remember, you don't have to win the jackpot to win money from the lottery!

coinbase