I found the way to execute any shell code with root privileges via setting of LIPC property:
lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"
So this scriptable browser plugin is really dangerous. Any
(I repeat, any!
) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.
On the other hand, it could be used in new method for easy jailbreaking through website.
, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?
Anyway, I recommend to disable this plugin. Execute in SSH session:
mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp
It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.
On 23 Jul 2012 Amazon made available update to 5.1.2
which must be applied over 5.1.0
. Amongst other changes, 5.1.2
deletes NPAPI plugin /usr/lib/libkindleplugin.so
, symlink /usrl/lib/browser/plugins/libkindleplugin.so
and directory /usr/lib/browser
, thus eliminating possible remote attack vector.