Code Execution on Vizio Smart TV from a USB Drive

Unranked
Advisory IDL9-44-477PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryCommand InjectionVendorVizioProduct2018 P65-F1, 2017 E50x-E1Version6.0.31.4-2, 10...0.31.4-2

Risk Summary

The Vizio TV is vulnerable to code execution using a malicious USB device drive-by attack. The Vizio TV does not appropriately segregate the internal web root and USB drive mount location. A threat actor can leverage this weakness to access custom web files including CGI files, that can be leveraged for code execution. A threat actor on the local network can walk up to a Vizio TV, insert a USB drive for a second, and walk away with platform-level code execution to launch further attacks on any connected network.

Technical Details

The researcher created a USB drive which contained a native executable payload, and a CGI file which executes the payload.

USB drive contents

USB drive contents

A static bind shell and CGI file to execute the bind shell are placed on a USB drive.

The USB was inserted into the TV where it was mounted inside the web root. The researcher used the 'Cast All The Things' python library to cast the internal application to the TV, launching the CGI file, and executing the payload.

catt -d TestTV cast_site "http://127.0.0.1:12345/usbparts/sda1/bind.cgi

Once the script executed, the researcher was able to connect to the payload and execute commands as the root user.

Code execution on 2017 E50x-E1

Code execution on 2017 E50x-E1

Code execution on 2018 P65-F1

Code execution on 2018 P65-F1