lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Aug 2020 20:11:03 -0700 From: Benjamin Floyd <benjamin.floyd253@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Google Chromecast Auth Bypass/RCE Problem: Most modern Google-based smart devices run some form of Chromecast (and a version of the Chrome browser to play content). All of their Chromecast devices, Google Home, Nest, and basically any Google smart device, as well as Android TVs with Chromecast built in run Chrome. In Google's Cast Developer Console, you can add arbitrary Chromecast devices for development purposes via serial number (which is on the outside of device boxes). You could also find it on devices themselves, or could socially engineer people to give you their serial number (because who would care about something like that?). Vuln: Once added, you can push arbitrary code to these devices using the Cast Developer Console (it is $10 to obtain access). It requires 0 user interaction. They typically run a version of the Chrome browser that is 2-3 months+ out of date, which means there are DOZENS of existing sandbox escape vulns WITH code. There is no ASLR/DEP/Stack cookies/etc on most (if not all) smart devices. A sandbox escape would likely be all you needed, as it seems the processes are running as root. You could implant an ephemeral payload on the device granting access to their internal network, send yourself the user's session cookies, force payments (possibly, purely speculative as of yet). Responsible disclosure: I reached out to Google back in April 2020 to address the issue. They accepted the bug, did nothing with it, and their own SLA period lapsed. I re-submitted the bug 4 months later after calling them out on Twitter (via my handle @pwna5aurus; stop by and say hi) and they acknowledged it and asked me to submit another bug to their VRP. They triaged it, decided it is not a security vuln (lol) and are still debating whether to fix it or not, as of 8/21/2020. Have fun! _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists