Sunpy/Philips_TV
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
Philips_TV/research/12_dec_2018.md

29 lines
4.1 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 12 December 2018
I already found some security issues and exploits not long after getting bored of a slow TV. Something seem a bit off about everything and how sluggish it is to respond. It turns out the whole TV interface is just multiple browser tabs.
## First security issue / exploit
Unsure of which was found first and in what order, but I were able to do xss in the usb filebrowser on the TV by naming a file on the usb something like ```<img src="onerror='location.href=`file`+String.fromCharCode(58)+String.fromCharCode(47).repeat(3)+`mnt`+String.fromCharCode(47)+`usb`+String.fromCharCode(47)+`sdb2`+String.fromCharCode(47)+`main.html`'">.mp3``` (yes it is long and not optimal or needed, but first tests be first tests). This would replace the usb filebrowser window with `main.html` from the usb.
Another issue is I could make a symlink to `/` on the usb and the TV's usb filebrowser would go to the TV's filesystem root. I could only see the filenames and folder structure, but could not open or edit any files (except open image and video files).
After scanning the TV for open ports 2 ports were particularly interesting; `7001` & `9222`. They both seem to be some web server interface that includes a chrome inspector and connects to the TV's browser tabs though websocket for inspection and debugging. From what I can tell `7001` does not allow you to run javascript in the inspector console, where `9222` seem to have no restrictions.
I then made a better filebrowser with my usb xss exploit that could also read *some* files of the TV and display them on the TV screen ([video](https://www.youtube.com/watch?v=4-StKSGXhHw)).
## Filesystem dump
I have javascript code execution with the usb xss and chrome inspection on port `9222`. I choose to use the chrome inspector method as it seem easier and faster to work with. **Robin** seem to point me in the direction of accessing `file:///` as that is what the TV is already doing with some of the tabs. I can not edit the address by any means to a file path as issues arise. I found a way to bypass this by using javascript's `XMLHttpRequest` class to make a local request. This could also read files but would spew out corrupted strings due to unprintable characters.
I end up writing a filesystem structure mapper in python that maps out the whole filesystem by calling `XMLHttpRequest` with javascript and parse the response to tell what files are in what directory and each filesize. After that was all handled I rewrote my load function to take the response from `XMLHttpRequest` and turn every byte into the hex representation of that byte and return a long string of any filestream. (I normally do not edit writeup files in post, but I understand I could have used base64 or anything else for this, but I did not know better at the time). I now went though the whole filesystem I had mapped out previously and sent the whole TV filesystem over websocket. This includes binaries (maybe they will come in handy at some point).
![USB filename xss](img/vQ9bn.png "vQ9bn.png")
## Require more research
I found a non-standard javascript function/class that does something native. `TV_JSP` seems to be an object that needs to be initialized with no arguments. `TV_JSP` returns `NJSEPluginFunction() { [native code] }`, whereas `new TV_JSP()` returns `NJSEPluginObject {}`.
After going though the filesystem dump I found a few javascript files that uses this function with different function calls as part of the object. Such as: `getTvJspService().tvServices.appOpen(name, url, 1)`.
There is also some `MtvObjRaw` object sometimes that I do not really understand yet. It seems to be related to `TV_JSP` and have defined some functions as help with the native bindings.
Currently I do not know how to find function names and how the work as I only really understand some of the javascript files that uses it. I did a scan though all binary files and it seems to lead me towards `/3rd/browser_engine/opera_dir/jsplugins/tvapi_jsplugin.so`, but I have no tools or knowledge to understand what to do with this. I have plans on doing other projects that may involve reverse engineering so I may revisit this at a later point in time.
Reference in New Issue View Git Blame Copy Permalink