View Single Post
Old 05-27-2012, 03:29 PM   #14
silver18
THE NOOB
silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.
 
silver18's Avatar
 
Posts: 698
Karma: 1545625
Join Date: Jan 2012
Location: Italy
Device: Kindle Touch 5.3.2
Quote:
Originally Posted by eureka View Post
I found the way to execute any shell code with root privileges via setting of LIPC property:
Code:
lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"
So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

Anyway, I recommend to disable this plugin. Execute in SSH session:
Code:
mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp
It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

Thanks a lot!!
I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).

Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...
silver18 is offline   Reply With Quote