Abstract
Media playback functionality is essential to any Smart TV (STV). Common features such as the built-in media player, video-on-demand apps, or the web browser build upon this functionality, which is often implemented in the form of a central media playback system. The processing of media files is a complex task, however, and without appropriate protection measures, vulnerabilities in this component can lead to the complete compromise of the STV. This chapter presents two vulnerabilities and corresponding PoC exploits that are able to fully compromise all previous STV generations from a major vendor.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The update was released in late June.
References
Adobe. Real-time messaging protocol (RTMP) specification. http://www.adobe.com/devnet/rtmp.html.
ARM. ELF for the ARM architecture, Nov. 2012. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044e/IHI0044E_aaelf.pdf.
F. Bellard et al. QEMU open source processor emulator. http://www.qemu.org.
A. Blanda. Fuzzing the media framework in Android. Presented at the Android Builders Summit, San Jose, USA, Mar. 2015. http://events.linuxfoundation.org/sites/events/files/slides/ABS2015.pdf.
J. Bramley. Caches and self-modifying code. Blog post, ARM Connected Community, Feb. 2010. http://community.arm.com/groups/processors/blog/2010/02/17/caches-and-self-modifying-code.
S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 559–572, NY, USA, 2010. ACM.
DLNA organization. Digital Living Network Alliance (DLNA). http://www.dlna.org.
ETSI. Hybrid Broadcast Broadband TV (TS 102 796 V1.2.1). European Telecommunications Standards Institute, Nov. 2012.
FFmpeg. FFmpeg releases. http://ffmpeg.org/releases/.
FFmpeg. The libavformat library. http://www.ffmpeg.org/libavformat.html.
Google. Android media: Stagefright. http://source.android.com/devices/media.html.
Google. Android TV, 2015. http://www.android.com/tv/.
HbbTV Association. Hbbtv 2.0 specification. Feb. 2015. https://www.hbbtv.org/pages/about_hbbtv/specification-2.php.
T. Klein. A Bug Hunter’s Diary. A Guided Tour Through the Wilds of Software Security. No Starch Press, 1st edition, Nov. 2011.
N. Klopfenstein. Linux/ARM – connect back /bin/sh. http://shell-storm.org/shellcode/files/shellcode-754.php.
S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, 2005. http://users.suse.com/~krahmer/no-nx.pdf.
LG. Opensource code distribution. http://opensource.lge.com/osSch/list?types=ALL&search=8609.
Linux kernel documentation. SECure COMPuting with filters. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt.
Linux Programmer’s Manual. backtrace – support for application self-debugging (BACKTRACE(3)). http://man7.org/linux/man-pages/man3/backtrace.3.html.
H. Ma and G. Qiuying. Design of functions in Smart TV: A survey study of user acceptance on Smart TV functions, 2014. http://www.diva-portal.org/smash/get/diva2:743729/FULLTEXT01.pdf.
M. Melanson. 4xm format. MultimediaWiki, Dec. 2003. http://wiki.multimedia.cx/index.php?title=4xm_Format.
B. Michéle and A. Karpow. Watch and be watched: Compromising all Smart TV generations. In Proceedings of the 11th Consumer Communications and Networking Conference (CCNC), pages 351–356. IEEE, Jan. 2014.
Microsoft. Microsoft media server (MMS) protocol. https://msdn.microsoft.com/en-us/library/cc234711.aspx.
H. Schmundt. Smart-TV. Glotze glotzt zurück. Der Spiegel, 8/2014. http://www.spiegel.de/spiegel/print/d-125080841.html.
H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A transport protocol for real-time applications, July 2003. RFC3550.
Sony. Source code distribution service, R4 series. http://oss.sony.net/Products/Linux/TV/KDL-40R483B.html.
Sony. Source code distribution service, W series. http://oss.sony.net/Products/Linux/TV/KDL-32W705B.html.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
The exploits presented in this chapter are tailored for Samsung STVs, most of which are powered by ARM CPUs. The Linux OS on these devices executes binaries conforming to the common Executable and Linkable Format (ELF) for ARM [2]. An ELF file consists of a header and various sections containing instructions, data, a symbol table, etc.
TEXT The TEXT section contains the executable instructions of the program or library. It is usually mapped to memory with read and execute—but not write—permissions. The entire section can be relocated if the contained code is position-independent.
GOT Shared libraries can be loaded to (almost) arbitrary addresses in the virtual address space of a process at runtime. Access to functions and data from other shared libraries (imported symbols) therefore cannot rely on absolute addresses. Instead, the corresponding addresses are resolved and stored in the Global Offset Table (GOT).
PLT A function calls an imported function by jumping into the corresponding function stub in the Procedure Linkage Table (PLT). This function stub loads the resolved absolute address from the GOT to the program counter, i.e., jumps to the imported function. If the address hadn’t been resolved previously, the GOT entry contains the address of a resolver function.
BSS The BSS section is typically used for statically allocated variables that are initialized with zero and filled with data during runtime.
Rights and permissions
Copyright information
© 2015 The Author(s)
About this chapter
Cite this chapter
Michéle, B. (2015). Media Playback System. In: Smart TV Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-20994-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-20994-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20993-7
Online ISBN: 978-3-319-20994-4
eBook Packages: Computer ScienceComputer Science (R0)