Code Execution on Vizio Smart TV from a USB Drive
The Vizio TV is vulnerable to code execution using a malicious USB device drive-by attack. The Vizio TV does not appropriately segregate the internal web root and USB drive mount location. A threat actor can leverage this weakness to access custom web files including CGI files, that can be leveraged for code execution. A threat actor on the local network can walk up to a Vizio TV, insert a USB drive for a second, and walk away with platform-level code execution to launch further attacks on any connected network.
The researcher created a USB drive which contained a native executable payload, and a CGI file which executes the payload.
USB drive contents
A static bind shell and CGI file to execute the bind shell are placed on a USB drive.
The USB was inserted into the TV where it was mounted inside the web root. The researcher used the 'Cast All The Things' python library to cast the internal application to the TV, launching the CGI file, and executing the payload.
catt -d TestTV cast_site "http://127.0.0.1:12345/usbparts/sda1/bind.cgi
Once the script executed, the researcher was able to connect to the payload and execute commands as the root user.
Code execution on 2017 E50x-E1