Morioh
Login
Ron Cartwright

Ron Cartwright

3 years ago

A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.

The bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the CvSS severity scale, according to researchers at Sick.Codes, a security resource for developers.

The HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content “over-the-top,” i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full “smart TV” experience. It retails for under $100.

The vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said in a posting this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top – specifically, when connected to the device through the serial port (UART), or while using the Android Debug Bridge (adb), as an unprivileged user.

adb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.

“A local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the ‘shell’ user without entering a username or password,” researchers explained. “Once logged in as the ‘shell’ user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).”

Once endowed with root privileges, the attacker can view any of the information for the apps the user is signed into – paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.

“For example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,” researchers explained.

Thus far, the issue has not been addressed.

The vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website, www.hindotech.com, was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States – and received no response.

Threatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.

#iot #vulnerabilities #web security #android debug bridge #arbitrary code execution #command line #critical #hindotech #hk1 tv box #local privilege escalation #root #security vulnerability #serial port #set-top box #sick.codes #smart tv #uart

Authentication Bug Opens Android Smart-TV Box to Data Theft

threatpost.com

Authentication Bug Opens Android Smart-TV Box to Data Theft

The streaming box allows arbitrary code execution as root, paving the way to pilfering social-media tokens, passwords, messaging history and more.

1.25 GEEK