[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Google Chromecast Auth Bypass/RCE
From:       Benjamin Floyd <benjamin.floyd253 () gmail ! com>
Date:       2020-08-22 3:11:03
Message-ID: CAApQrQ50V0EEkS03Q+YHEosUdoGRPeb4nT9kgO7rsuB5xKhb8A () mail ! gmail ! com
[Download RAW message or body]

Problem:  Most modern Google-based smart devices run some form of
Chromecast (and a version of the Chrome browser to play content).  All of
their Chromecast devices, Google Home, Nest, and basically any Google smart
device, as well as Android TVs with Chromecast built in run Chrome.  In
Google's Cast Developer Console, you can add arbitrary Chromecast devices
for development purposes via serial number (which is on the outside of
device boxes).  You could also find it on devices themselves, or could
socially engineer people to give you their serial number (because who would
care about something like that?).

Vuln:  Once added, you can push arbitrary code to these devices using the
Cast Developer Console (it is $10 to obtain access).  It requires 0 user
interaction.  They typically run a version of the Chrome browser that is
2-3 months+ out of date, which means there are DOZENS of existing sandbox
escape vulns WITH code.  There is no ASLR/DEP/Stack cookies/etc on most (if
not all) smart devices.  A sandbox escape would likely be all you needed,
as it seems the processes are running as root.  You could implant an
ephemeral payload on the device granting access to their internal network,
send yourself the user's session cookies, force payments (possibly, purely
speculative as of yet).

Responsible disclosure: I reached out to Google back in April 2020 to
address the issue.  They accepted the bug, did nothing with it, and
their own SLA period lapsed.  I re-submitted the bug 4 months later after
calling them out on Twitter (via my handle @pwna5aurus; stop by and say hi)
and they acknowledged it and asked me to submit another bug to their VRP.
They triaged it, decided it is not a security vuln (lol) and are still
debating whether to fix it or not, as of 8/21/2020.

Have fun!

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic