Vulnerabilities > CVE-2020-9759 - Download of Code Without Integrity Check vulnerability in LG Webos

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
lg
CWE-494
nessus

Summary

A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. This vulnerability is due to wrong environment setting. An attacker could exploit this vulnerability through crafted configuration files and executable files.

Vulnerable Configurations

Part Description Count
OS
Lg
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Software Integrity Attacks
    An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.
  • Malicious Software Download
    An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.
  • Malicious Software Update
    An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an attacker controlled source. Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an attacker to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity. As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the attacker immense latitude when structuring the attack, as well as many targets of opportunity. Attacks involving malicious software updates can be targeted or untargeted in reference to a population of users, and can also involve manual and automatic means of payload installation. Untargeted attacks rely upon a mass delivery system such as spamming, phishing, or trojans/botnets to distribute emails or other messages to vast populations of users. Targeted attacks aim at a particular demographic or user population. Manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user on clicking a single url. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in his or her arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface. Corporate Facebook or Myspace pages make it easy to target users of a specific company or affiliation without relying on email address harvesting or spamming. One phishing-assisted variation on this attack involves hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update. This type of attack has also been conducted using an Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update. While both methods involve a high degree of automated mechanisms to support the attack, the primary vector for achieving the installation of the update remains a manual user-directed process, although clicking a link within an IM client or web application may initiate the update. Manual attacks of this nature are common and frequently supported by social networking sites, such as Myspace or Facebook, and have proven to be immensely successful. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters. Automated update mechanisms typically come in two kinds, each requiring different mechanics for exploitation. 'Pull' mechanisms retrieve periodic updates from a server, a process in which the client software or local server installation retrieves the update from a remote network source. While 'Pull' mechanisms are highly automated there is still some user directed activity involved in the update process. 'Push' mechanisms involve a remote server sending an update to a client, which is typically processed when it is received. A characteristic of 'Push' updates is that they typically involve the least user interaction within the update process, thus narrowing the scope of the attack to automated mechanisms. Automated update attacks typically exploit a lack of technical mechanisms to validate the integrity of code before it is downloaded.
  • Malicious Automated Software Update
    An attacker exploits a weakness in a server or client's process of delivering and verifying the integrity of code supplied by an update-providing server or mechanism to cause code of the attackers' choosing to be downloaded and installed as a software update. Attacks against automated update mechanisms involve attack vectors which are specific to the type of update mechanism, but typically involve two different attack strategies: redirection or spoofing. Redirection-based attacks exploit two layers of weaknesses in server or client software to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update. One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains. The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality. One precedent of redirection-based attacks involves the active exploitation of Firefox extensions, such as the Google Toolbar, Yahoo Toolbar, Facebook Toolbar, and others. The second strategy employed in Automated Hijacking Attacks are spoofing strategies, including content or identity spoofing, as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. Such attacks have numerous precedents, one in particular being eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202003-51.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202003-51 (WeeChat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in WeeChat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by sending a specially crafted IRC message, could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-03-31
    modified2020-03-26
    plugin id134926
    published2020-03-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134926
    titleGLSA-202003-51 : WeeChat: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 202003-51.
    #
    # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134926);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/30");
    
      script_cve_id("CVE-2020-8955", "CVE-2020-9759", "CVE-2020-9760");
      script_xref(name:"GLSA", value:"202003-51");
    
      script_name(english:"GLSA-202003-51 : WeeChat: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-202003-51
    (WeeChat: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in WeeChat. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker, by sending a specially crafted IRC message, could
          possibly cause a Denial of Service condition.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/202003-51"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All WeeChat users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-irc/weechat-2.7.1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:weechat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-irc/weechat", unaffected:make_list("ge 2.7.1"), vulnerable:make_list("lt 2.7.1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "WeeChat");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2157.NASL
    descriptionSeveral issues have been found in weechat, a fast, light and extensible chat client. All issues are about crafted messages, that could result in a buffer overflow and application crash. This could cause a denial of service or possibly have other impact. For Debian 8
    last seen2020-03-28
    modified2020-03-25
    plugin id134881
    published2020-03-25
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134881
    titleDebian DLA-2157-1 : weechat security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-2157-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134881);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/27");
    
      script_cve_id("CVE-2020-8955", "CVE-2020-9759", "CVE-2020-9760");
    
      script_name(english:"Debian DLA-2157-1 : weechat security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several issues have been found in weechat, a fast, light and
    extensible chat client. All issues are about crafted messages, that
    could result in a buffer overflow and application crash. This could
    cause a denial of service or possibly have other impact.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    1.0.1-1+deb8u3.
    
    We recommend that you upgrade your weechat packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2020/03/msg00031.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/weechat"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat-curses");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:weechat-plugins");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"weechat", reference:"1.0.1-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"weechat-core", reference:"1.0.1-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"weechat-curses", reference:"1.0.1-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"weechat-dbg", reference:"1.0.1-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"weechat-dev", reference:"1.0.1-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"weechat-doc", reference:"1.0.1-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"weechat-plugins", reference:"1.0.1-1+deb8u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");