Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WebOS is the operating system used in LG TVs. WebOS is web, but within an OS! Many things sound JavaScript-y because it is NodeJS running under the hood.

The Notification Manager is used by internal system services in order to manage notifications, such as alerting about system- and app updates etc. It cannot be called by regular applications and runs as root. The permission systems works based upon an allowlist of app Ids. Due to a logic flaw within notificationmgr/Settings.cpp, the notifications can be bypassing by sending a request through the luna-send-pub tool. This is not a vulnerability by itself, but does open up a new attack vector for us.

The luna://com.webos.notification/createAlert API of Notifications Manager allows for actions to be defined, such as onclick and many more. When calling these, there is a check to validate that the user has the proper permissions to call these APIs.

However, the permissions are handled on the API calls themselves via logic and not the file permissions on the operating system. It turns out that the nesting of these URIs is possible. Since the verification ONLY happens on the first URI, the verification can pass while the second call can now perform arbitrary actions. In this case, they call the normally denied luna://com.webos.service.downloadmanager/download.

There are MANY other ways to compromise the system with other calls. The important note is that not all of the data was properly verified on the request, which leads to an authentication bypass. Overall, good post on a two bugs that lead to privilege escalation.