Vulnerabilities in LG smartphones exploited to execute remote code

Share this…

LG recently patched two critical vulnerabilities on the default keyboard of all its smartphones, including flagship phones; the vulnerabilities could have been used to execute code remotely with elevated privileges, commented information securityprofessionals.

This update of LG includes the solution for a serious problem of Android, from Google.

lgg

The first error has to do with the fact that the LG keyboard supports handwriting modes in several languages. When a new language or an update is installed for an existing one, the device arrives at a coded server, from where it retrieves the requested language file. According to the team of experts, who reported the vulnerability, the problem is that the download is made through an insecure HTTP connection, exposing it to man-in-the-middle attacks. A remote attacker could download a malicious file instead of the language file.

Regarding the second problem, information security experts comment that it is a validation error in the file system of LG. Resource files within the limited environment of the LG keyboard package can be modified; and, the LG keyboard application grants executable permissions for downloaded library files with the .so extension. Then, an attacker who has gained access to MITM through the first vulnerability can inject an unauthorized executable file and this only by adding the .so extension to a library download.

By altering the files.txt metadata file, the Engine.properties file could be overwritten by a false one.

“The keyboard loads the library indicated in the Engine.properties configuration file at the start of the application, and the rogue library injected into the aforementioned file would load as soon as the keyboard process is restarted,” explained Slava Makkaveev, information security researcher at Check Point. “Once we manage to inject the lib rouge into Engine.properties, we just have to wait for the application to restart and load the library.”

LG treats these vulnerabilities as a flaw; they are exclusive to LG devices. The threat is remarkable: phones have a market share of approximately 16 percent in the US. LG released a patch for all of these in its May security update.