K5 [Kindle Touch] Scriptable browser plugin included in 5.1.0

[eureka]

5.1.0 has introduced NPAPI plugin /usr/lib/libkindleplugin.so (symlinked to /usrl/lib/browser/plugins/libkindleplugin.so) which is used by system-wide WebKit engine.

It is scriptable plugin, so webpage can embed it and invoke it's "exported" native methods.

To embed:

Code:

<embed type="application/kindle-chrome-scriptable-plugin">

I gave enough information for googling about how to invoke methods of this embedded plugin.

So far, I've found following "exported" properties and methods:

• property test (it just returns number 500)
• method dev.log
• method lipc.set
• method lipc.get
• method todo.scheduleItems

I don't know anything about parameters of these methods and don't know whether they produce sensible result at all. But if they are working, then OH-OH!, it could be dangerous, because it could be used by any website (yes, this plugin is accessible from Web Browser).

I hope someone more proficient in understanding of disassembled ARM C++ code will share more information about plugin's methods usage.

To disable plugin, just change extension of symlink in /usr/lib/browser/plugins (or remove this symlink). I believe, it will be sufficient.

UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector.

[JustAMan]

Hmm... *imagines a web page that removes Ads using ToDo mechanism*

[eureka]

They are working.

Code:

/**
 * Get Lipc property (only int or string, not hasharray).
 *
 * @param {string} publisher The unique name of the publisher of the property.
 * @param {string} propertyName Name of the property to get.
 *
 * @return {string|int} Property value
 */
function plugin.lipc.get(publisher, propertyName) { ... }

Code:

/**
 * Set Lipc property (only int or string, not hasharray).
 *
 * @param {string} publisher The unique name of the publisher of the property.
 * @param {string} propertyName Name of the property to get.
 * @param {string|int} propertyValue Value to set.
 *
 * @return "success"
 */
function plugin.lipc.set(publisher, propertyName, propertyValue) { ... }

Code:

/**
 * Write into log for wafapp process and com.lab126.browser app id.
 *
 * @param {string} subsystemName First part of log message (usually used for identifier of log writer).
 * @param {string} message Second part of log message (usually used for actual log message).
 * @param {string} severity Must be one of the: "info", "warn", "error", "debug", "perf".
 *
 * @return "success"
 */
function plugin.dev.log(subsystemName, message, severity) { ... }

Code:

/**
 * Pass string to ToDo through setting of Lipc property `scheduleToDoItems`.
 *
 * @param {string} todoDocument ToDo document.
 *
 * @return "success"
 */
function plugin.todo.scheduleItems(todoDocument) { ... }

There are also properties plugin.test, plugin.lipc.test, plugin.dev.test, plugin.todo.test. They are returning integers (500, 600 or 700).

[idoit]

This looks really interesting!

I'm interested in integrating other plugins to WebKit. Do you think this is possible by putting corresponding *.so libraries in /usr/lib/browser/plugins/?

[eureka]

I found the way to execute any shell code with root privileges via setting of LIPC property:

Code:

lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"

So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

Anyway, I recommend to disable this plugin. Execute in SSH session:

Code:

mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp

It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector.

[geekmaster]

Quote:

Originally Posted by eureka

I found the way to execute any shell code with root privileges via setting of LIPC property ... it could be used in new method for easy jailbreaking through website ...

Cool! A "remote" jailbreak tool! Thanks amazon! Now we just need to get up a youtube video, and submit it to slashdot. ... and somebody needs to IMPLEMENT the code and web page too.

[hawhill]

I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...

[ixtab]

@eureka: Great job!

As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread.

[geekmaster]

Quote:

Originally Posted by hawhill

I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...

You did notice the wink and grin. Yes, a 3G botnet could be especially costly for amazon (especially if it used the "social network" loop-hole out to the unrestricted internet on touch 3G).

[knc1]

Quote:

Originally Posted by ixtab

@eureka: Great job!

As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread.

Or just stop running the browser (and nearly everything else) as 'root'.

One "common" practice is to make the browser suid and the user id as "nobody" (with "nobody" not having any privledges of any kind).

Not sure if the Kindle's have such a user already setup, but somebody with time on their hands might check this out for us.

[geekmaster]

If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.

So, I am surprised that this lipc command runs things as root.

[ixtab]

Quote:

Originally Posted by geekmaster

So, I am surprised that this lipc command runs things as root.

Well technically, it's probably whatever implements com.lab126.system and handles the sendEvent message, which runs as root (and is buggy). Not 100% sure though.

[knc1]

Quote:

Originally Posted by geekmaster

If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.

So, I am surprised that this lipc command runs things as root.

That is what was reported.
But do not take my post as an indication that I confirmed the report.

Some additional confirmation would be nice to see from other users.

[silver18]

Quote:

Originally Posted by eureka

I found the way to execute any shell code with root privileges via setting of LIPC property:

Code:

lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"

So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

Anyway, I recommend to disable this plugin. Execute in SSH session:

Code:

mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp

It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

Thanks a lot!!
I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).

Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...

[NiLuJe]

Am I the only one that finds this somewhat funny?

Anyway, good job!