- #HACK SONY TV FIRMWARE SOFTWARE LICENSE#
- #HACK SONY TV FIRMWARE SOFTWARE#
- #HACK SONY TV FIRMWARE TV#
The tool found and extracted a non-standard squashfs filesystem. You can get the latest version of binwalk from although your distro may have packages (Kali Linux comes with it installed). When downloading a binary blob firmware, the first thing to do is run the great binwalk program on it to see what it contains. This particular research was done against version PKG4.570SLUSA of the firmware (published ). Other models are probably exploitable too if they share the same vulnerable code. The KDL-40R510C / KDL-48R510C / KDL-48R550C all use the same firmware package. At this point, I decided it would be nice to have a copy of the web server configuration and its cgi-bin to better understand what craziness was going on.Ī quick trip to the internet got me a nice big binary blob to analyse. I also found that I could upload things that were certainly not images or media. in file names (the uploaded files weren’t showing but the script returned like it was successful, although it could have been silently filtering out the malicious filename). Just messing around, I found that I was potentially able to have blind directory traversal by using / and. We know the uploaded data is being stored somewhere in the filesystem, and if we are lucky, only limited validation is done to check that the file is really an image or audio file.Īfter a couple of minutes with Firefox’s F12 developer tools / the View Source feature in any browser, we can see that the upload is just a JavaScript POST to a CGI executable. The uploading functionality is especially interesting here because it provides a pathway into the system. Maybe Sony has their shit together now and is making secure products? Hahaha…yeah right. The other open ports in the port scan didn’t show much promise either. The surprisingly small number of known thttpd vulnerabilities didn’t work, which indicates that this is a forked/patched version that just never had the banner string updated. Wow! If that web server is really what it claims to be, over a decade old, then there must certainly be some kind of well-known RCE exploit and I can take the rest of the night off. The first step in any security assessment like this one is to take is to pull out the venerable Nmap scanner to check the attack surface.
#HACK SONY TV FIRMWARE TV#
This seemed like an excellent candidate for vulnerabilities!Īlthough the TV claims you need to connect to its broadcast wifi AP to navigate to the photo share app, I found that if I used the TV’s Ethernet port’s IP address, I could reach the web server just fine. One of the built-in apps is a photo sharing app where the embedded system in the TV broadcasts a wifi access point for nearby users to connect to and upload pictures and music via an HTTP server that will then be displayed on-screen.
#HACK SONY TV FIRMWARE SOFTWARE#
To me this says one thing: “here is the list of software that you check for known exploits.”Īfter setting up the TV, I played around with the features for a bit to understand the different operating “modes” of the device.
#HACK SONY TV FIRMWARE SOFTWARE LICENSE#
Invariably, one of them is chock full of software license terms. After setting it up, I leafed through the paper booklets it came with. Anyway, I ended up getting a Sony KDL-48R510C. I got a new TV! I tried to find a TV that didn’t have “smarts” built-in, but that is surprisingly hard to do these days.