Attacking APIs using JSON Injection
I wanna tell you a story from not too long ago, where exploiting a JSON injection vulnerability in Samsung devices could trigger an attack chain that ended up with code execution on the device.
You know how over the past few years IoT has been all the rage? Everything is “smart” these days. From smart light bulbs to smart TVs. Smart fridges to smart hubs. Thermostats to cameras. If it had electronics, vendors were trying to make it “smarter” with software.
The thing is, many of these devices live in constrained environments. Typically running some sort of embedded Linux to drive code on system-on-chip (SOC) hardware. Which leaves its HTTP servers (and supporting libraries like JSON parsers) somewhat constrained.
And this was the case with the Samsung Smart Hub. Their mobile app could communicate remotely with the hub and control anything connected to it.
One of the features of the hub is the ability to connect to smart cameras and process its livestreams, using the RTSP protocol. This code runs in the video-core process, which is running as root.
