Thursday, May 03, 2012

Researcher Causes Endless Restart Loop on Samsung TV's

Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices.
Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices.
One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow.

Auriemma discovered the issues accidentally. He told Threatpost via email that he was trying to play a trick on his brother. He only wanted to send a remote controller request with a funny message, but he ended up nearly destroying the TV.
To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.
As background, Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.
Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.
As for the buffer overflow, Auriemma determined that he could crash devices by setting the MAC address to a long string. He is only guessing that this is a buffer overflow vulnerability, and he told Threatpost via email that the vulnerability would be much more “attractive” if it was in fact a buffer overflow vulnerability.
“The bugs have been tested on a d6000 and d6050 TV, but it's highly possible that many of the Samsung devices supporting this protocol are vulnerable because d6xxx is a recent TV and usually these 'core' components are like libraries shared with other devices that make use of the same protocol,” he said via email.
Auriemma claims there is no fix for these bugs because he was unable to report the bugs to Samsung. He has also received no word from Samsung. He claims that Samsung doesn’t even have a channel through which to report these types of bugs.

No comments: