Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 04-14-2012, 03:31 PM   #1
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 728
Karma: 2314258
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
[Kindle Touch] Scriptable browser plugin included in 5.1.0

5.1.0 has introduced NPAPI plugin /usr/lib/libkindleplugin.so (symlinked to /usrl/lib/browser/plugins/libkindleplugin.so) which is used by system-wide WebKit engine.

It is scriptable plugin, so webpage can embed it and invoke it's "exported" native methods.

To embed:
Code:
<embed type="application/kindle-chrome-scriptable-plugin">
I gave enough information for googling about how to invoke methods of this embedded plugin.

So far, I've found following "exported" properties and methods:
  • property test (it just returns number 500)
  • method dev.log
  • method lipc.set
  • method lipc.get
  • method todo.scheduleItems
I don't know anything about parameters of these methods and don't know whether they produce sensible result at all. But if they are working, then OH-OH!, it could be dangerous, because it could be used by any website (yes, this plugin is accessible from Web Browser).

I hope someone more proficient in understanding of disassembled ARM C++ code will share more information about plugin's methods usage.

To disable plugin, just change extension of symlink in /usr/lib/browser/plugins (or remove this symlink). I believe, it will be sufficient.

UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector.

Last edited by eureka; 07-30-2012 at 06:49 AM. Reason: hooray, there is official update addressing possible security issue
eureka is offline   Reply With Quote
Old 04-16-2012, 09:44 AM   #2
JustAMan
Groupie
JustAMan doesn't litterJustAMan doesn't litter
 
JustAMan's Avatar
 
Posts: 153
Karma: 113
Join Date: Jan 2012
Location: Russia
Device: Kindle Touch
Hmm... *imagines a web page that removes Ads using ToDo mechanism*
JustAMan is offline   Reply With Quote
Old 04-18-2012, 09:23 PM   #3
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 728
Karma: 2314258
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
They are working.

Code:
/**
 * Get Lipc property (only int or string, not hasharray).
 *
 * @param {string} publisher The unique name of the publisher of the property.
 * @param {string} propertyName Name of the property to get.
 *
 * @return {string|int} Property value
 */
function plugin.lipc.get(publisher, propertyName) { ... }
Code:
/**
 * Set Lipc property (only int or string, not hasharray).
 *
 * @param {string} publisher The unique name of the publisher of the property.
 * @param {string} propertyName Name of the property to get.
 * @param {string|int} propertyValue Value to set.
 *
 * @return "success"
 */
function plugin.lipc.set(publisher, propertyName, propertyValue) { ... }
Code:
/**
 * Write into log for wafapp process and com.lab126.browser app id.
 *
 * @param {string} subsystemName First part of log message (usually used for identifier of log writer).
 * @param {string} message Second part of log message (usually used for actual log message).
 * @param {string} severity Must be one of the: "info", "warn", "error", "debug", "perf".
 *
 * @return "success"
 */
function plugin.dev.log(subsystemName, message, severity) { ... }
Code:
/**
 * Pass string to ToDo through setting of Lipc property `scheduleToDoItems`.
 *
 * @param {string} todoDocument ToDo document.
 *
 * @return "success"
 */
function plugin.todo.scheduleItems(todoDocument) { ... }
There are also properties plugin.test, plugin.lipc.test, plugin.dev.test, plugin.todo.test. They are returning integers (500, 600 or 700).
eureka is offline   Reply With Quote
Old 04-22-2012, 03:25 PM   #4
idoit
Plus
idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.idoit ought to be getting tired of karma fortunes by now.
 
idoit's Avatar
 
Posts: 366
Karma: 262144
Join Date: Jan 2012
Location: Tehran, Iran - Halifax, Canada
Device: iPhone 5s
This looks really interesting!

I'm interested in integrating other plugins to WebKit. Do you think this is possible by putting corresponding *.so libraries in /usr/lib/browser/plugins/?
idoit is offline   Reply With Quote
Old 05-27-2012, 12:03 PM   #5
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 728
Karma: 2314258
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
I found the way to execute any shell code with root privileges via setting of LIPC property:
Code:
lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"
So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

Anyway, I recommend to disable this plugin. Execute in SSH session:
Code:
mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp
It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector.

Last edited by eureka; 07-30-2012 at 06:50 AM. Reason: hooray, there is official update addressing possible security issue
eureka is offline   Reply With Quote
Old 05-27-2012, 12:12 PM   #6
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Quote:
Originally Posted by eureka View Post
I found the way to execute any shell code with root privileges via setting of LIPC property ... it could be used in new method for easy jailbreaking through website ...
Cool! A "remote" jailbreak tool! Thanks amazon! Now we just need to get up a youtube video, and submit it to slashdot. ... and somebody needs to IMPLEMENT the code and web page too.

Last edited by geekmaster; 05-27-2012 at 12:18 PM.
geekmaster is offline   Reply With Quote
Old 05-27-2012, 12:21 PM   #7
hawhill
Wizard
hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.
 
hawhill's Avatar
 
Posts: 1,177
Karma: 2116649
Join Date: Nov 2010
Location: Goettingen, Germany
Device: Kindle Paperwhite, Kobo Mini
I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...
hawhill is offline   Reply With Quote
Old 05-27-2012, 12:25 PM   #8
ixtab
(offline)
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,903
Karma: 6677557
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
@eureka: Great job!

As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread.
ixtab is offline   Reply With Quote
Old 05-27-2012, 12:27 PM   #9
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Quote:
Originally Posted by hawhill View Post
I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...
You did notice the wink and grin. Yes, a 3G botnet could be especially costly for amazon (especially if it used the "social network" loop-hole out to the unrestricted internet on touch 3G).
geekmaster is offline   Reply With Quote
Old 05-27-2012, 12:31 PM   #10
knc1
Helpdesk Junkie
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 6,817
Karma: 6307752
Join Date: Feb 2012
Device: Too many.
Quote:
Originally Posted by ixtab View Post
@eureka: Great job!

As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread.
Or just stop running the browser (and nearly everything else) as 'root'.

One "common" practice is to make the browser suid and the user id as "nobody" (with "nobody" not having any privledges of any kind).

Not sure if the Kindle's have such a user already setup, but somebody with time on their hands might check this out for us.
knc1 is offline   Reply With Quote
Old 05-27-2012, 12:51 PM   #11
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.

So, I am surprised that this lipc command runs things as root.

Last edited by geekmaster; 05-27-2012 at 01:14 PM.
geekmaster is offline   Reply With Quote
Old 05-27-2012, 01:23 PM   #12
ixtab
(offline)
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,903
Karma: 6677557
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
Quote:
Originally Posted by geekmaster View Post
So, I am surprised that this lipc command runs things as root.
Well technically, it's probably whatever implements com.lab126.system and handles the sendEvent message, which runs as root (and is buggy). Not 100% sure though.
ixtab is offline   Reply With Quote
Old 05-27-2012, 01:32 PM   #13
knc1
Helpdesk Junkie
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 6,817
Karma: 6307752
Join Date: Feb 2012
Device: Too many.
Quote:
Originally Posted by geekmaster View Post
If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.

So, I am surprised that this lipc command runs things as root.
That is what was reported.
But do not take my post as an indication that I confirmed the report.

Some additional confirmation would be nice to see from other users.
knc1 is offline   Reply With Quote
Old 05-27-2012, 03:29 PM   #14
silver18
THE NOOB
silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.silver18 ought to be getting tired of karma fortunes by now.
 
silver18's Avatar
 
Posts: 698
Karma: 1545625
Join Date: Jan 2012
Location: Italy
Device: Kindle Touch 5.3.2
Quote:
Originally Posted by eureka View Post
I found the way to execute any shell code with root privileges via setting of LIPC property:
Code:
lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'"
So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

Anyway, I recommend to disable this plugin. Execute in SSH session:
Code:
mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp
It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

Thanks a lot!!
I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).

Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...
silver18 is online now   Reply With Quote
Old 05-27-2012, 07:17 PM   #15
NiLuJe
BLAM!
NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.
 
NiLuJe's Avatar
 
Posts: 5,100
Karma: 4987077
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW & PW2
Am I the only one that finds this somewhat funny?

Anyway, good job!
NiLuJe is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kindle touch browser javascript capabilities iPocketBook Kindle Developer's Corner 14 01-03-2013 10:10 AM
Kindle 4 (Non-Touch) Can you DELETE the browser? nsomniac Amazon Kindle 3 03-30-2012 08:22 PM
Kindle Touch Bypass 3G Browser Restriction? copy1 Amazon Kindle 3 02-04-2012 03:52 PM
eReader.com Browser Search Plugin Zero9 Deals, Freebies, and Resources (No Self-Promotion) 0 07-24-2009 10:44 PM
BooksOnBoard Browser Search Plugin Zero9 Deals, Freebies, and Resources (No Self-Promotion) 10 07-24-2009 04:27 PM


All times are GMT -4. The time now is 02:00 PM.


MobileRead.com is a privately owned, operated and funded community.