CVE-2023-44121 in V60 Thin Q 5G
Summary
by MITRE • 10/25/2023
The vulnerability is an intent redirection in LG ThinQ Service ("com.lge.lms2") in the "com/lge/lms/things/ui/notification/NotificationManager.java" file. This vulnerability could be exploited by a third-party app installed on an LG device by sending a broadcast with the action "com.lge.lms.things.notification.ACTION". Additionally, this vulnerability is very dangerous because LG ThinQ Service is a system app (having android:sharedUserId="android.uid.system" setting). Intent redirection in this app leads to accessing arbitrary not exported activities of absolutely all apps.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/25/2023
The vulnerability identified as CVE-2023-44121 represents a critical intent redirection flaw within the LG ThinQ Service application component on Android devices. This vulnerability exists within the "com.lge.lms2" package specifically in the "com/lge/lms/things/ui/notification/NotificationManager.java" file where the application fails to properly validate incoming broadcast intents. The flaw stems from the application's improper handling of the broadcast action "com.lge.lms.things.notification.ACTION" which allows malicious third-party applications to manipulate the intent flow and potentially redirect execution to arbitrary activities within the system. This issue is particularly concerning because the LG ThinQ Service operates as a system-level application with the android:sharedUserId="android.uid.system" setting, granting it elevated privileges and system-level access rights that far exceed normal application permissions.
The technical exploitation of this vulnerability demonstrates a fundamental flaw in Android's intent security model where the system application fails to implement proper intent validation mechanisms. When a malicious application sends a broadcast with the specific action "com.lge.lms.things.notification.ACTION", the LG ThinQ Service processes this intent without adequate verification of the sender's authenticity or intent legitimacy. This lack of validation creates an exploitation pathway that allows attackers to leverage the system application's elevated privileges to access not exported activities across all installed applications on the device. The vulnerability essentially enables a form of privilege escalation where a third-party application can effectively gain system-level capabilities through the compromised system service.
The operational impact of this vulnerability extends beyond simple unauthorized access as it provides attackers with unprecedented control over the device's application landscape. Since the LG ThinQ Service is a system application with shared user ID privileges, the intent redirection allows exploitation of not exported activities that would normally be protected from external access. This creates a significant security risk where malicious actors could potentially access sensitive application data, execute arbitrary code within other applications, or manipulate system functionalities. The vulnerability's dangerous nature is amplified by the fact that it requires no special user interaction or device rooting, making it particularly attractive to threat actors seeking persistent access to mobile devices. This flaw directly relates to CWE-798, which addresses the use of hard-coded credentials, and aligns with ATT&CK technique T1068, involving the exploitation of legitimate credentials to gain system-level access.
The mitigation of this vulnerability requires immediate attention from both device manufacturers and users. LG should implement proper intent validation mechanisms within the ThinQ Service application, ensuring that all incoming broadcasts are authenticated and validated before processing. This includes implementing signature verification for broadcast intents, adding proper access controls for system-level services, and ensuring that the application does not blindly execute intents from untrusted sources. Additionally, users should be advised to avoid installing untrusted applications that may attempt to exploit this vulnerability, and system administrators should monitor for suspicious broadcast activity within the affected application. The fix should also include implementing proper input sanitization and validation to prevent the exploitation of intent redirection pathways, while also considering the implementation of Android's security best practices such as using explicit intents instead of implicit ones where possible. Organizations should also consider implementing mobile threat defense solutions that can detect and prevent unauthorized broadcast intent manipulation attempts.