So awhile back, I bought one of these LG BX580 BluRay players because I wanted to simplify my media experience with an all-in-one disc/network player. I really didn’t think anything of it since the player did exactly what it was supposed to do. But in light of recent articles bringing up the inherent security risks associated with appliances – Government Console Hacking, Firmware Attacks on Printers and Your TV Will Be Hacked – I decided to take a quick look at the device.
First task, the ever classic
Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-26 22:15 EDT Nmap scan report for 192.168.1.10 Host is up (0.058s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 111/tcp open rpcbind 2 (rpc #100000) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop
TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 5.57 ms 192.168.1.10
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds
WTF!? Seriously? Why does a BluRay player need to have an externally accessible RPC port open? RPC isn’t a feature necessary for the player to reach out on the network to stream NetFlix, access GraceNote or really provide any sort of network enabled media experience. RPC is “designed for network programming, allowing a program to make a subroutine call on a remote machine.”
Second task, run an
rpcinfo query against the portmapper service to reveal what is running. Although most network protocols can be found running on the well known ports, the portmapper allows them to move around and be queried dynamically.
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper
program 100000 version 2 ready and waiting
This information was pretty much the same as that produced by running Nessus 5, which was the third task. The variety of tests within the Nessus Scanner corroborated the LG BX580 was running Linux Kernel 2.6 and also produced information on the portmapper. The Nessus scan did not reveal any issues with the portmapper but did reference the NIST’s advice on ensuring a proper configuration of the service. Fortunately, the only vulnerability identified by Nessus was EtherLeak where buffers get reused allowing portions of system memory to slowly be gleaned remotely (and by remote one must be on the same physical ethernet). Although not a vulnerability, the system also responded to ICMP timestamp requests and TCP timestamps (RFC 1323). Also relatively innocuous in nature but it would allow a remote entity to determine how long you’ve been using the device.
So while there do not appear to be any blatant security holes, at the moment, it would definitely appear to be a poor implementation and could potentially pose a security ingress vector for a private home network. Futhermore, this does not prove the LG device does not activate further daemons publicly or register additional RPC programs them with the portmapper later on which may be openly exploitable. Now I need to capture all the packets from the device over time to figure out what else it does and whether there is any unwanted, inbound traffic.
Thanks LG … so lame.
Similarly tagged OmniNerd content: