The streaming box allows arbitrary code execution as root, paving the way to pilfering social-media tokens, passwords, messaging history and more.
A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.
The bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the CvSS severity scale, according to researchers at Sick.Codes, a security resource for developers.
The HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content “over-the-top,” i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full “smart TV” experience. It retails for under $100.
The vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said in a posting this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top – specifically, when connected to the device through the serial port (UART), or while using the Android Debug Bridge (adb), as an unprivileged user.
adb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.
“A local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the ‘shell’ user without entering a username or password,” researchers explained. “Once logged in as the ‘shell’ user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).”
Once endowed with root privileges, the attacker can view any of the information for the apps the user is signed into – paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.
“For example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,” researchers explained.
Thus far, the issue has not been addressed.
The vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website, www.hindotech.com, was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States – and received no response.
Threatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.
iot vulnerabilities web security android debug bridge arbitrary code execution command line critical hindotech hk1 tv box local privilege escalation root security vulnerability serial port set-top box sick.codes smart tv uart
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots
Android projects with source code - Work on real-time android projects. We’ll start project ideas from beginners level and later move to advance projects.
The software giant released patches for four critical vulnerabilities and five different platforms.
Android security - Learn what is security in Android, how to make your Android devices secure, what are security patches and how are they important.
Adobe has released patches for critical and important-severity flaws in its popular Magento e-commerce platform.