DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation

Published: Mar 22 2021

Updated: Mar 22 2021

I found a DNS rebinding vulnerability as well as a Cross Site Request Forgery (CSRF) vulnerability on the DIAL (Discovery And Launch) implementation of the Samsung TV UE40F6320 (v1.0), from 2011. This can be used to open any installed application (eg. Netflix and Youtube) and force the vizualisation of a given video in the applications.

Description

DIAL (Discovery And Launch) is a protocol for controling second screen devices: the idea is than you trigger the playback of some video on your smart TV (the first screen) from your mobile phone or computer (the second screen).

The DIAL implementation is SamsungTV UE40F6320 in vulnerable to both DNS rebinding and CSRF attacks. A malicious webserver can trick a browser of a computer on the same LAN as the Samsung TV to open applications on the Samsung TV (eg. Netflix, Youtube). In particular, it is possible to force the rendering of a given Youtube video.

In contrast to the UPnP vulnerabilities previously reported, this interface is not subject to the per-IP address ACL.

Starting a Netflix video

CSRF payload (Netflix):

fetch("http://192.168.1.18:80/ws/app/Netflix", {method: "POST", "body": ""})

Starting a Youtube video

For the Youtube application, we can force the rendering of a video:

fetch("http://192.168.1.18/ws/app/YouTube", {method: "POST", "body": "v=dQw4w9WgXcQ"})

This could be quite creepy.

Demo

Update: this demo is currently broken on recent browsers because of mixed content protection since I moved this site to HTTPS. On Firefox and Chromium, you can temporarily enable mixed content for this website.

Warning

Pressing the button below will try to open a Youtube video by sending a DIAL request on each host in 192.168.1.0/24. Depending on what is your local network someone might not find it very funny.

Mitigation

The DNS rebinding attack could be mitigated by enforcing the value of the Host header.

The CSRF vulnerability could probably be mitigated by filtering by Origin (for recent browsers only) as discussed in the DIAL v2 specification. Alternatively, the Application-URL could be include a random token in order to prevent an attacker from guessing it.

Timeline

2020-06-24, Submitted report
2020-06-28, reported as fixed in recent models by vendor (in 2018)

References

DIAL
chromecast_dial
Rickrolling your neighbors with Google Chromecast
Opening Up the Samsung Q60 series smart TV
Exploiting remote DoS vulnerability in my not-so-smart TV
In Defense of Dumb TVs
DIALStranger (someone actually found this before me but disclosed it publicly later)