Originally Posted by eureka
I found the way to execute any shell code with root privileges via setting of LIPC property:
lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"
So this scriptable browser plugin is really dangerous. Any
(I repeat, any!
) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.
On the other hand, it could be used in new method for easy jailbreaking through website.
, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?
Anyway, I recommend to disable this plugin. Execute in SSH session:
mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp
It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.
Thanks a lot!!
I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).
Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...