CVE-2020-27402
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SICK-2020-004 SICK-2020-005
-
Hindotech, Shenzhen Hindo Technology Co.,Ltd
-
Hindotech, Hong Kong Hindo Technology Co.,Ltd
HK1 Box S905X3 TV Box
HK1_X3_S905X3_4BIT_V11_2019-11-05
The HK1 Box S905X3 TV Box contains a vulnerability that allows a local unprivileged user, such as a malicious APK, to escalate to root using the /system/xbin/su binary. While connected to the device through the serial port (UART), or while using adb as an unprivileged user, the local attacker can execute the /system/xbin/su binary and execute arbitrary code as root, steal social networking account tokens, WiFi passwords, cookies, saved passwords, user location data, message history, emails, or contacts, etc.
A local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the "shell" user without entering a username or password.
Once logged in as the "shell" user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).
In order to use the device in its intended way, victims are encouraged to sign-in to all of their favorite TV, email, music, and social networking related apps & accounts.
An attacker can steal any social networking account cookies or session tokens, read saved passwords, reveal user location data, emails, message history, contacts, or use the HK1 Box maliciously to sniff other devices on the same network, usually in a home networking environment.
For example, once root, the network WiFi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml.
- 2020-09-20 - Vulnerability identified & researcher prepares report
- 2020-09-21 - Researcher unable to reach (502 error) manufacturers website hindotech.com
- 2020-09-22 - Researcher submits draft advisory to Amlogic instead (No response, not the vendor.)
- 2020-10-09 - Researcher still unable to reach (502 error) manufacturers website.
- 2020-10-09 - Researcher submits draft advisory to Shenzhen Hindo Technology Co.,Ltd. email
- 2020-10-12 - Researcher still unable to reach (502 error) manufacturers website.
- 2020-10-12 - Researcher receives no response from anyone and publishes research.
- 2020-11-03 - CVE assigned CVE-2020-27402
@sickcodes - https://twitter.com/sickcodes/
https://sick.codes/sick-2020-004/
https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-004.md
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27402
https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27402
http://hindotech.com/ [DELETED]
https://threatpost.com/authentication-bug-android-smart-tv-data-theft/160025/
https://www.cybersecurity-help.cz/vdb/SB2020101404
https://www.securitylab.ru/news/513051.php
Connect via adb or using the UART serial port:
whoami
# shell
/system/xbin/su
whoami
# root
grep PreSharedKey /data/misc/wifi/WifiConfigStore.xml
# <string name="PreSharedKey">"WIFIPASSWORD"</string>
Connect via adb or using the UART serial port:
whoami
# shell
/system/xbin/su
whoami
# root
chmod 700 /system/xbin/su
chmod 700 /sbin/su
exit
exit