An bayyana bayanai game da rashin ƙarfi a cikin buɗaɗɗen dandamali na webOS wanda za a iya amfani da shi don samun dama ga APIs masu ƙanƙanta masu gata na yanayin tsarin LG TVs da sauran na'urori dangane da wannan dandali. Ana kai harin ta hanyar ƙaddamar da aikace-aikacen da ba shi da gata wanda ke cin gajiyar rauni ta hanyar samun damar yin amfani da APIs na ciki, kuma yana ba ku damar sake rubutawa/ karanta fayilolin sabani ko aiwatar da wasu ayyuka waɗanda tsarin APIs suka yarda.
Na farko daga cikin raunin da aka gano yana ba ku damar ketare ƙuntatawa zuwa ga Manajan Fadakarwa API, kuma na biyu yana ba ku damar amfani da Manajan Fadakarwa don samun dama ga wasu APIs na ciki waɗanda ba su isa ga aikace-aikacen mai amfani kai tsaye. Har yanzu ba a sanya masu gano CVE ga batutuwan ba. An gwada ikon yin amfani da raunin rauni akan LG 65SM8500PLA TV tare da firmware dangane da webOS TV 05.10.30.
Mahimman raunin farko shine cewa ta hanyar tsoho, ana ba da izinin aika sanarwa a cikin webOS zuwa sabis na tsarin kawai, amma wannan ƙuntatawa za a iya ƙetare shi kuma za a iya aika sanarwa daga aikace-aikacen da ba shi da gata ta amfani da umarnin luna-send-pub (com.webos). .lunasendpub). Rashin lahani na biyu yana da alaƙa da gaskiyar cewa ta hanyar kiran API "luna://com.webos.notification/createAlert" tare da dannawa, rufewa ko sigogi na kasawa, za ku iya kaddamar da kowane mai kulawa kuma, alal misali, kira tsarin Mai saukewa da saukewa. sabis, wanda kawai aka yarda a ƙaddamar da aikace-aikacen gata don saukewa da adana fayilolin sabani.
source: budenet.ru