Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
Title: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
Advisory ID: ZSL-2020-5612
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 02.12.2020
Ubuntu
NodeJS
Express
[15.10.2020] Submitted to Sony via Hackerone.
[20.11.2020] Vendor states that the vulnerabilities are just informative and that all the issues are working as intended.
[02.12.2020] Public security advisory released.
[2] https://packetstormsecurity.com/files/160345/
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/192605
[4] https://cxsecurity.com/issue/WLB-2020120030
[5] https://research-labs.net/search/exploits/sony-bravia-digital-signage-178-unauthenticated-remote-file-inclusion
[17.12.2020] - Added reference [1], [2], [3], [4] and [5]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5612
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 02.12.2020
Summary
Sony's BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments.Description
BRAVIA digital signage is vulnerable to a remote file inclusion (RFI) vulnerability by including arbitrary client-side dynamic scripts (JavaScript, VBScript, HTML) when adding content though the input URL material of type html. This allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display.Vendor
Sony Electronics Inc. - https://pro.sonyAffected Version
<=1.7.8Tested On
Microsoft Windows Server 2012 R2Ubuntu
NodeJS
Express
Vendor Status
[20.09.2020] Vulnerability discovered.[15.10.2020] Submitted to Sony via Hackerone.
[20.11.2020] Vendor states that the vulnerabilities are just informative and that all the issues are working as intended.
[02.12.2020] Public security advisory released.
PoC
sonybravia_rfi.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/49186[2] https://packetstormsecurity.com/files/160345/
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/192605
[4] https://cxsecurity.com/issue/WLB-2020120030
[5] https://research-labs.net/search/exploits/sony-bravia-digital-signage-178-unauthenticated-remote-file-inclusion
Changelog
[02.12.2020] - Initial release[17.12.2020] - Added reference [1], [2], [3], [4] and [5]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk