Sunpy/Philips_TV
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
a35bdff914
Philips_TV/research/12_dec_2018.md

29 lines
4.1 KiB
Markdown
Raw Normal View History

Yes... I forgot to commit during writeups etc.
2020-04-29 16:58:59 +02:00
# 12 December 2018
I already found some security issues and exploits not long after getting bored of a slow TV. Something seem a bit off about everything and how sluggish it is to respond. It turns out the whole TV interface is just multiple browser tabs.
## First security issue / exploit
Unsure of which was found first and in what order, but I were able to do xss in the usb filebrowser on the TV by naming a file on the usb something like ```<img src="onerror='location.href=`file`+String.fromCharCode(58)+String.fromCharCode(47).repeat(3)+`mnt`+String.fromCharCode(47)+`usb`+String.fromCharCode(47)+`sdb2`+String.fromCharCode(47)+`main.html`'">.mp3``` (yes it is long and not optimal or needed, but first tests be first tests). This would replace the usb filebrowser window with `main.html` from the usb.
Another issue is I could make a symlink to `/` on the usb and the TV's usb filebrowser would go to the TV's filesystem root. I could only see the filenames and folder structure, but could not open or edit any files (except open image and video files).
After scanning the TV for open ports 2 ports were particularly interesting; `7001` & `9222`. They both seem to be some web server interface that includes a chrome inspector and connects to the TV's browser tabs though websocket for inspection and debugging. From what I can tell `7001` does not allow you to run javascript in the inspector console, where `9222` seem to have no restrictions.
I then made a better filebrowser with my usb xss exploit that could also read *some* files of the TV and display them on the TV screen ([video](https://www.youtube.com/watch?v=4-StKSGXhHw)).
## Filesystem dump
I have javascript code execution with the usb xss and chrome inspection on port `9222`. I choose to use the chrome inspector method as it seem easier and faster to work with. **Robin** seem to point me in the direction of accessing `file:///` as that is what the TV is already doing with some of the tabs. I can not edit the address by any means to a file path as issues arise. I found a way to bypass this by using javascript's `XMLHttpRequest` class to make a local request. This could also read files but would spew out corrupted strings due to unprintable characters.
I end up writing a filesystem structure mapper in python that maps out the whole filesystem by calling `XMLHttpRequest` with javascript and parse the response to tell what files are in what directory and each filesize. After that was all handled I rewrote my load function to take the response from `XMLHttpRequest` and turn every byte into the hex representation of that byte and return a long string of any filestream. (I normally do not edit writeup files in post, but I understand I could have used base64 or anything else for this, but I did not know better at the time). I now went though the whole filesystem I had mapped out previously and sent the whole TV filesystem over websocket. This includes binaries (maybe they will come in handy at some point).
![USB filename xss](img/vQ9bn.png "vQ9bn.png")
## Require more research
I found a non-standard javascript function/class that does something native. `TV_JSP` seems to be an object that needs to be initialized with no arguments. `TV_JSP` returns `NJSEPluginFunction() { [native code] }`, whereas `new TV_JSP()` returns `NJSEPluginObject {}`.
After going though the filesystem dump I found a few javascript files that uses this function with different function calls as part of the object. Such as: `getTvJspService().tvServices.appOpen(name, url, 1)`.
There is also some `MtvObjRaw` object sometimes that I do not really understand yet. It seems to be related to `TV_JSP` and have defined some functions as help with the native bindings.
Currently I do not know how to find function names and how the work as I only really understand some of the javascript files that uses it. I did a scan though all binary files and it seems to lead me towards `/3rd/browser_engine/opera_dir/jsplugins/tvapi_jsplugin.so`, but I have no tools or knowledge to understand what to do with this. I have plans on doing other projects that may involve reverse engineering so I may revisit this at a later point in time.
Reference in New Issue Copy Permalink