DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation
Published:
Updated:
I found a DNS rebinding vulnerability as well as a Cross Site Request Forgery (CSRF) vulnerability on the DIAL (Discovery And Launch) implementation of the Samsung TV UE40F6320 (v1.0), from 2011. This can be used to open any installed application (eg. Netflix and Youtube) and force the vizualisation of a given video in the applications.
Description
DIAL (Discovery And Launch) is a protocol for controling second screen devices: the idea is than you trigger the playback of some video on your smart TV (the first screen) from your mobile phone or computer (the second screen).
The DIAL implementation is SamsungTV UE40F6320 in vulnerable to both DNS rebinding and CSRF attacks. A malicious webserver can trick a browser of a computer on the same LAN as the Samsung TV to open applications on the Samsung TV (eg. Netflix, Youtube). In particular, it is possible to force the rendering of a given Youtube video.
In contrast to the UPnP vulnerabilities previously reported, this interface is not subject to the per-IP address ACL.
Starting a Netflix video
CSRF payload (Netflix):
fetch("http://192.168.1.18:80/ws/app/Netflix", {method: "POST", "body": ""})
Starting a Youtube video
For the Youtube application, we can force the rendering of a video:
fetch("http://192.168.1.18/ws/app/YouTube", {method: "POST", "body": "v=dQw4w9WgXcQ"})
This could be quite creepy.
Demo
Update: this demo is currently broken on recent browsers because of mixed content protection since I moved this site to HTTPS. On Firefox and Chromium, you can temporarily enable mixed content for this website.
Warning
Pressing the button below will try to open a Youtube video by sending a DIAL request on each host in 192.168.1.0/24. Depending on what is your local network someone might not find it very funny.
Mitigation
The DNS rebinding attack could be mitigated by enforcing the value of the Host header.
The CSRF vulnerability could probably be mitigated by filtering by Origin (for recent browsers only) as discussed in the DIAL v2 specification. Alternatively, the Application-URL could be include a random token in order to prevent an attacker from guessing it.
Timeline
- 2020-06-24, Submitted report
- 2020-06-28, reported as fixed in recent models by vendor (in 2018)
References
- DIAL
chromecast_dial- Rickrolling your neighbors with Google Chromecast
- Opening Up the Samsung Q60 series smart TV
- Exploiting remote DoS vulnerability in my not-so-smart TV
- In Defense of Dumb TVs
- DIALStranger (i.e. someone actually found this before me but diclosed it later)