https://threatpost.com/en_us/blogs/researcher-causes-endless-restart-loop-samsung-tvs-042412
Italian security researcher Luigi Auriemma was trying to play a trick
on his brother when he accidentally discovered two vulnerabilities in
all current versions of Samsung TVs and Blu-Ray systems that could allow
an attacker to gain remote access to those devices.
Auriemma claims
that the vulnerabilities will affect all Samsung devices with support
for remote controllers, and that the vulnerable protocol is on both TVs
and Blu-Ray enabled devices.
One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow.
Auriemma discovered the issues accidentally. He told Threatpost via
email that he was trying to play a trick on his brother. He only wanted
to send a remote controller request with a funny message, but he ended
up nearly destroying the TV.
To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.
As
background, Auriemma explains that when the device receives a
controller packet it displays message informing users that a new
‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’
access. Included with this remote packet is a string field used for the
name of device. Auriemma found that if he altered the name string to
contain line feed and other invalid characters, the device would enter
an endless loop.
Auriemma claims that nothing really happens for
the first five seconds, but then he lost control of the TV, both
manually on the control panel and with the remote. Then after another
five seconds, he claims, the TV automaticall restarts. Then the process
repeats itself forever, even after unplugging the TV. Eventually,
Auriemma managed to reset the TV in service mode. He writes that users
can avoid the situation altogether by hitting ‘exit’ when prompted to
‘allow’ or ‘deny’ the new remote device.
As for the buffer
overflow, Auriemma determined that he could crash devices by setting the
MAC address to a long string. He is only guessing that this is a buffer
overflow vulnerability, and he told Threatpost via email that the
vulnerability would be much more “attractive” if it was in fact a buffer
overflow vulnerability.
“The bugs have been tested on a d6000 and
d6050 TV, but it's highly possible that many of the Samsung devices
supporting this protocol are vulnerable because d6xxx is a recent TV and
usually these 'core' components are like libraries shared with other
devices that make use of the same protocol,” he said via email.
Auriemma
claims there is no fix for these bugs because he was unable to report
the bugs to Samsung. He has also received no word from Samsung. He
claims that Samsung doesn’t even have a channel through which to report
these types of bugs.
