About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Getting root on webOS- 383

Andreas - RSecurityPosted 5 Years Ago
  • WebOS is a Linux based distro that was built by Palm back in the day. In recent times, LG uses it on a large amount of their smart devices.
  • WebOS's application are all called web apps, which was essentially JavaScript applications running. webOS also implements an API that allows for communication with the underlying system called Luna.
  • One of these APIs allows for the downloading of files onto the system. Only privileged users can specify the download location. What if we could convince the service that we should be able to hit this endpoint?
  • The service validates that a specify string is in the package name prior to running it (com.palm, com.webos and com.lge.). To me, this looks extra permissive. From researching the setuid binaries, one of the CLI tools had a prefix with this package name!
  • Because of this, the CLI tools could be used in order to hit this endpoint and specify the location to download the file AS root.
  • For exploitation, a binary cannot simply be overwritten because the file will not have the executable bit turned on (this is a good thing for security). So, the author choose to overwrite a configuration file that pointed to a shell script, which runs at booting time. Just restart the box and we have root :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed