TCL Android Smart TV (All) – Incorrect Permission Assignment for Critical Vendor Resources – TCL Android TV Vendor Configuration & Upgrade Folders World Writable to Local Attacker
TCL Technology Group Corporation
TCL Android Smart TV Firmware (All)
V8-R851T02-LF1 V295 and below
Many models affected (untested)
A vulnerability in the TCL Android Smart TV series by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read and write to critical vendor resource directories within the Android TV file system, including the vendor upgrades folder.
The following three critical resource folders are assigned permissions of 0777 by the vendor rc file located at /system/vendor/etc/init/hw/init.rtd285o.rc from line 344:
This allows a local unprivileged user, or a malicious APK, to modify critical system resources. For example, by modifying the /data/vendor/upgrade folder, an attacker could potentially cause the Android TV to undergo arbitrary vendor system upgrades.
- 2020-10-29 – Researcher discovers vulnerability during reconnaissance
- 2020-10-29 – Vendor notified via email
- 2020-11-02 – CVE assigned CVE-2020-28055
- 2020-11-08 – Research final notifies vendor for an update
- 2020-11-10 – Researcher publishes CVE-2020-28055
The following firmware updates do not refer to the Android system updates; updates refer to the vendor specific third-party firmware updates provided by TCL.
- Update to the latest over-the-air (OTA) vendor firmware from TCL.
- Update to the latest vendor firmware from the TCL website using a USB drive and the firmware update method for your model.
TCL Android Smart TVs cannot be manually patched without root user access (rooted).
TCL Smart TVs that are not rooted cannot be manually updated other than using OTA or USB update methods.
Offline TVs are low risk because there are no attackers on the adjacent network.
If your TV is in a high-risk environment, and you are unable to update the vendor firmware, it is recommended to disable internet access on the TCL Android TV until patched.
Manual or offline TV updates require elevated permissions to fix this vulnerability and cannot be patched without root user access:
chmod 0770 /data/vendor/tcl /data/vendor/upgrade /var/TerminalManager