JSON Web Server Bug and Security Issue

2014-02-08
2014-02-10
  • Renato Riolino
    Renato Riolino
    2014-02-08

    Hi! I have a 2012 philips smart tv (42pfl7007g). It has a web server running on port 1925. But the JSON REST API is not available, for exemple if I open this URL on my web browser: http://tv-home:1925/1/audio/volume I get a "Not Found" message.

    Then I tried some linux paths on it, for exemple: http://tv-home:1925/proc/cpuinfo and it worked!!

    Processor : ARMv7 Processor rev 0 (v7l)
    BogoMIPS : 1828.45
    Features : swp half thumb fastmult vfp edsp vfpv3 vfpv3d16
    CPU implementer : 0x41
    CPU architecture: 7
    CPU variant : 0x3
    CPU part : 0xc09
    CPU revision : 0

    Hardware : MT5369
    Revision : 0000
    Serial : 0000000000000000

    It looks like the somehow, the web server root directory is pointing to linux root directory. Using this security flaw, I downloaded the webserver (http://tv-home:1925/home/jsapp) and tried to look inside for any clue of the path to the web server URL but no success.

    Any jointspace/json api dev here?

    Where the JSON htmls are stored, so I can use it like: http://tv-home:1925/XXXXXXX/1/audio/volume where XXXXXXX is the json root path?

    Thanks

     
  • Matthias Ihmig
    Matthias Ihmig
    2014-02-09

    Interesting insight.. on my (2011) TV, it's at /philips/data/js/http/index.html
    The "reference" link points to /philips/data/js/http/1/doc/API.html
    And the "audio/volume" part is at \philips\data\js\http\1\examples\audio\volume.html

    This is also the path which is written in philips\apps\jsApp

    So, if these files moved to a different location, maybe you get some ideas when looking at /etc/profile or /etc/rcS

    Let us know if you got it working!

     
  • Renato Riolino
    Renato Riolino
    2014-02-10

    Still, nothing.

    /philips doesn't exist. Neither /home/philips.

    /etc/profile and /etc/rc.d/rc.local doesn't mention nothing with jsapp (see attachments).

    Anyone have any idea? I'm starting to think that /philips was removed on one of the firmware updates and because of that jsapp is using linux root as web root.

    I'm attaching /etc/fstab, /proc/cmdline and /proc/mounts too.