Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE network
low complexity
lg
CWE-552
exploit available
Published: 2018-09-12
Updated: 2019-10-03
Summary
LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.
Vulnerable Configurations
Part | Description | Count |
OS | Lg | 19 |
Hardware | Lg | 18 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | LG Smart IP Camera 1508190 - Backup File Download. CVE-2018-16946. Webapps exploit for Hardware platform |
file | exploits/hardware/webapps/45394.py |
id | EDB-ID:45394 |
last seen | 2018-10-07 |
modified | 2018-09-12 |
platform | hardware |
port | |
published | 2018-09-12 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/45394/ |
title | LG Smart IP Camera 1508190 - Backup File Download |
type | webapps |