exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LG On Screen Phone Authentication Bypass

LG On Screen Phone Authentication Bypass
Posted Feb 6, 2015
Authored by Imre Rad

SEARCH-LAB Ltd. discovered a serious security vulnerability in the On Screen Phone protocol used by LG Smart Phones. A malicious attacker is able to bypass the authentication phase of the network communication, and thus establish a connection to the On Screen Phone application without the owner's knowledge or consent. suffers from a bypass vulnerability.

tags | advisory, protocol, bypass
advisories | CVE-2014-8757
SHA-256 | 6c5f9b3a483b2488fd33286b1d8b13298108615893ce571ef447baedf300e177

LG On Screen Phone Authentication Bypass

Change Mirror Download
LG On Screen Phone authentication bypass vulnerability
------------------------------------------------------
SEARCH-LAB Ltd. discovered a serious security vulnerability in the On
Screen Phone protocol used by LG Smart Phones. A malicious attacker is
able to bypass the authentication phase of the network communication,
and thus establish a connection to the On Screen Phone application
without the owner’s knowledge or consent. Once connected, the attacker
could have full control over the phone – even without physical access to
it. The attacker needs only access to the same local network as the
phone is connected to, for example via Wi-Fi.


What is LG On Screen Phone?
---------------------------
The LG On-Screen Phone application (OSP) makes it easy to access and
control LG’s Android smartphones through a PC. The connection can be
established either by using an USB cable or wirelessly through Wi-Fi or
Bluetooth. When attempting to connect to the phone via OSP, a popup
dialog is displayed on the phone and it is to be confirmed and accepted
by the owner. Once the channel is established, the screen contents of
the device are being transmitted to the PC as a motion stream, mouse
clicks on the PC are turned into touch events on the phone. By using OSP
one can control an LG Smart Phone just like it was in their hands.


CVE
---
The ID CVE-2014-8757 was assigned to this vulnerability.


Affected Versions
-----------------
LG On Screen Phone v4.3.009 (inclusive) and older versions of the
application are vulnerable. This vulnerability was fixed in LG OSP v4.3.010

Most smart phone models of LG are affected and the OSP application is
even preinstalled, and there is no option to uninstall or stop it. On
newer models, like G3 the OSP application is not preinstalled anymore.


Technical details
-----------------
The vulnerable code resides in the On Screen Phone component:

shell@geehrc:/ $ps |grep osp
system 1411 303 559616 44504 ffffffff 00000000 S com.lge.osp

It is started automatically on boot and there is no way in the system
settings to turn it off.

The process is listening on 0 0.0.0.0:8382:

shell@geehrc:/ $ netstat -nap|grep 8382
netstat -nap|grep 8382
tcp 0 0 0.0.0.0:8382 0.0.0.0:* LISTEN

The LG On Screen Phone client software running on PC connects to this
TCP port. After receiving the initial banner, the client sends the
following binary message to the server running on the phone:

00000000 18 00 1c 96 dd 82 c2 31 0a 0d 5a dc 05 2a 23 f4 .......1 ..Z..*#.
00000010 21 a5 d3 02 01 00 00 34 33 30 39 30 !......4 3090

This message triggers the confirmation dialog on the phone asking the
user whether they wanted to allow this connection. If the user hits
cancel, the phone server sends a response with a negative message to the
client and then closes the TCP connection immediately.

However, the server process does not require this message to be sent
before serving another requests, like initiating the video stream or
submitting files, handling key/touchscreen events, notifications. Using
a modified client it is possible to connect to the phone without the
confirmation dialog being displayed on the phone.

The attacker has full control over the phone.


Timeline
--------
SEARCH-LAB Ltd. responsibly reported this threat to the manufacturer in
September 2014 who confirmed the severity of the issue and started
working on the fix in turn. The patched version of the application is
now available to download through LG’s Update Center and/or will be
available in form of Maintenance Release for some models. LG smartphone
users should make sure to have at least version 4.3.010 of the On Screen
Phone (OSP) application installed. Please note that when OSP is
pre-installed, the device is vulnerable by default – OSP is started
automatically and cannot be disabled in Settings.


Links
-----
https://www.youtube.com/watch?v=Wd8XydalVas
https://github.com/irsl/lgosp-poc/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close