Command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service

Vulnerability

A command injection vulnerability exists in the getAudioMetadata method of the com.webos.service.attachedstoragemanager service on webOS versions 4 through 7 [1]. Affected firmware versions include webOS 4.9.7 - 5.30.40 (LG43UM7000PLA), webOS 5.5.0 - 04.50.51 (OLED55CXPUA), webOS 6.3.3-442 - 03.36.50 (OLED48C1PUB), and webOS 7.3.1-43 - 03.33.85 (OLED55A23LA) [1]. The bug resides in the library responsible for handling music lyrics and is reachable through the service's API [1].

Exploitation

An attacker must first bypass the authorization mechanism (CVE-2023-6317) to gain authenticated access to the webOS service [1]. Once authenticated, the attacker sends a series of specially crafted requests to the getAudioMetadata method, injecting operating system commands via manipulated parameters [1]. The service runs with root privileges, so no further privilege escalation is required to execute arbitrary commands [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands as the root user, resulting in full compromise of the LG TV device [1]. The attacker can then install persistent backdoors, access sensitive data, or use the device as a pivot point within the network [1]. Bitdefender estimates over 91,000 devices on Shodan expose the vulnerable service to the internet, increasing remote attack potential [1].

Mitigation

LG released a patch on March 22, 2024 [1]. Users should update their TV firmware to the latest version provided by LG. No workaround is available if the patch cannot be applied. Disabling the attached storage manager service over the WAN interface reduces exposure but is not a complete fix.