Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 05-27-2012, 06:27 PM   #16
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,066
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Quote:
Originally Posted by NiLuJe View Post
Am I the only one that finds this somewhat funny?

Anyway, good job!
It is very funny, until amazon gets a big 3G bill for a 3G botnet installed on kindles that visited an infected web page when connected using wifi.

Unless amazon patched it in 5.1.0, you could previously visit any web page over 3G by clicking a link to google on a facebook "desktop site" page, from social networking. There was a youtube video showing this but google seems to not be finding it now.

Aha... found it. This worked on stock firmware, no jailbreak, no hacks. It seems that accessing the web with the social network "browser" uses a relaxed rule set. I see that the video says that it is also for 5.1.0. This new updated video was just posted 2 weeks ago. I am sure that I first saw this long before 5.1.0 was around. The old one showed a closeup of the 3G connection. This one cheats and uses wifi, but he SAYS it also works on 3G. The old video SHOWED a 3G demo. I wonder if the old video is still out there,,,


Of course, this is complicated enough to be only useful in a real emergency, or by an automated tool such as a botnet might use.

Also, after the gaping security hole announced in this thread, it may be worth looking for more security screw-ups that they added to this firmware version. Perhaps we can get root shell from the search bar now by escalating a framework shell? (FYI I used a netcat reverse shell started from the home page search bar when I was trying to get root on 5.0.0, running as user "framework", back before the MP3 jailbreak).

Note to amazon staff: We want root access so we can add fun things to our kindles, such as these:
geekmaster kindle video player: http://www.mobileread.com/forums/sho...d.php?t=177455
[Kindle Touch] xterm & matchbox-keyboard: http://www.mobileread.com/forums/sho...d.php?t=179286
newtrix - geekmaster's new tricks: http://www.mobileread.com/forums/sho...d.php?t=176802
But ESPECIALLY so we can continue to help debrick kindles for people who found us AFTER your firmware updates bricked their unmodified kindle. Please continue to add features and fix bugs (instead of adding new bugs like 5.1.0 did, which bricked a lot of kindles). But while you are making things BETTER, do not lock us out! Adding obfuscation to the java code in 5.1.0 is very annoying but does not really slow anybody down. Please stop doing that crap, okay?

Last edited by geekmaster; 05-27-2012 at 10:14 PM.
geekmaster is offline   Reply With Quote
Old 05-30-2012, 04:22 PM   #17
ixtab
0x2A
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,903
Karma: 6677427
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
Quote:
Originally Posted by geekmaster View Post
Note to amazon staff: We want root access so we can add fun things to our kindles, such as these:
geekmaster kindle video player: http://www.mobileread.com/forums/sho...d.php?t=177455
[Kindle Touch] xterm & matchbox-keyboard: http://www.mobileread.com/forums/sho...d.php?t=179286
newtrix - geekmaster's new tricks: http://www.mobileread.com/forums/sho...d.php?t=176802
But ESPECIALLY so we can continue to help debrick kindles for people who found us AFTER your firmware updates bricked their unmodified kindle. Please continue to add features and fix bugs (instead of adding new bugs like 5.1.0 did, which bricked a lot of kindles). But while you are making things BETTER, do not lock us out! Adding obfuscation to the java code in 5.1.0 is very annoying but does not really slow anybody down. Please stop doing that crap, okay?
[/COLOR]
Shamelessly plugging in here.

@Amazon:

While you're at it... this post contains a similar request, and similar arguments (read the parts in red).

This forum is not a threat to you. On the contrary: We are, in fact, helping you to make your products better, and we support your user base. So please, just stop making our lives more difficult for no reason.
ixtab is offline   Reply With Quote
Old 05-31-2012, 04:35 AM   #18
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 704
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
No, they will not read it. They don't look here. Only I am reading your entreaties here

Anyway, did anybody wrote to Amazon/Lab126 about this attack vector? I'm really think this forum isn't monitored by Amazon staff. And while I personally will not contact with Amazon, I have no objections about reporting it ASAP.

Last edited by eureka; 05-31-2012 at 05:36 AM.
eureka is offline   Reply With Quote
Old 05-31-2012, 08:17 AM   #19
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,066
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Quote:
Originally Posted by eureka View Post
No, they will not read it. They don't look here. Only I am reading your entreaties here

Anyway, did anybody wrote to Amazon/Lab126 about this attack vector? I'm really think this forum isn't monitored by Amazon staff. And while I personally will not contact with Amazon, I have no objections about reporting it ASAP.
Actually, amazon tech staff *did* read this particular thread. This "attack vector" will probably be closed soon. That is why we asked them here to not OVER protect it.
geekmaster is offline   Reply With Quote
Old 07-16-2012, 08:26 AM   #20
ixtab
0x2A
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,903
Karma: 6677427
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
BTW, this has just been covered on the largest german-speaking IT website: http://www.heise.de/meldung/Sicherhe...h-1636888.html

I guess this puts a bit more pressure on Amazon to finally roll out a fix for the issue: "Gegenüber heise Security erklärte Amazons Sicherheitsabteilung, dass sie bereits an einem Patch arbeitet." -- "Amazon's security department told heise Security that they are already working on a patch".
ixtab is offline   Reply With Quote
Old 07-16-2012, 08:35 AM   #21
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,066
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
It will be "interesting" to see what new exploitable bugs they add when they fix this one.

I wonder why it is taking them so long to fix this one...
geekmaster is offline   Reply With Quote
Old 07-16-2012, 09:14 AM   #22
ixtab
0x2A
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,903
Karma: 6677427
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
Security fix

OK, so... I'm attaching an update package which can disable (or re-enable) the vulnerability, until Amazon comes up with a proper patch.

To install the package, your device obviously needs to be jailbroken. Ironically, if needed, the jailbreak can be installed using the very vulnerability that this package fixes

EDIT: There's a typo in the README: Of course, the vulnerability isn't triggered, but it (rather: its availability) is toggled. Sorry for the potential confusion.

EDIT 2: This is obsolete. The vulnerability has been fixed with Firmware 5.1.2.
Attached Files
File Type: zip secfix_1.0.0.zip (4.0 KB, 104 views)

Last edited by ixtab; 07-23-2012 at 11:39 PM.
ixtab is offline   Reply With Quote
Old 07-16-2012, 09:21 AM   #23
bhaak
Groupie
bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.
 
bhaak's Avatar
 
Posts: 159
Karma: 164959
Join Date: Dec 2011
Device: Palm IIIx, (iPhone|Kindle) Touch
I wonder who gave Heise the hint about this exploit or which of the forum goers in here is a Heise employee.

Or maybe it was time again for a Kindle article and Heise didn't have anything else to write about.
bhaak is offline   Reply With Quote
Old 07-16-2012, 09:26 AM   #24
bhaak
Groupie
bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.bhaak can program the VCR without an owner's manual.
 
bhaak's Avatar
 
Posts: 159
Karma: 164959
Join Date: Dec 2011
Device: Palm IIIx, (iPhone|Kindle) Touch
Quote:
Originally Posted by ixtab View Post
OK, so... I'm attaching an update package which can disable (or re-enable) the vulnerability, until Amazon comes up with a proper patch.

To install the package, your device obviously needs to be jailbroken. Ironically, if needed, the jailbreak can be installed using the very vulnerability that this package fixes
He, but for really be safe from browser exploits you should have removed more than just the symlink to libkindleplugin.so. Nobody is using that browser anyway, it's only use is for jailbreaks.
bhaak is offline   Reply With Quote
Old 07-17-2012, 11:18 AM   #25
mmatej
Connoisseur
mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.mmatej is less competitive than you.
 
Posts: 91
Karma: 14730
Join Date: Jun 2012
Device: KT
Quote:
Originally Posted by ixtab View Post
OK, so... I'm attaching an update package which can disable (or re-enable) the vulnerability, until Amazon comes up with a proper patch.

To install the package, your device obviously needs to be jailbroken. Ironically, if needed, the jailbreak can be installed using the very vulnerability that this package fixes

EDIT: There's a typo in the README: Of course, the vulnerability isn't triggered, but it (rather: its availability) is toggled. Sorry for the potential confusion.
I've added it to the jailbreak site, so (hopefully) more users will have their devices patched.
mmatej is offline   Reply With Quote
Old 07-30-2012, 06:07 AM   #26
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 704
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
It's old news already, but I'd like to see them here for completeness.

Update to 5.1.2 (amongst other changes) deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector.

I didn't update to 5.1.2 yet, so I can't confirm, whether setting of LIPC property of com.lab126.system still allow executing of arbitrary shell code. Anybody willing to check? (Anyway, it's a minor nuisance, as without browser plugin there is no more obvious remote access to KT.)

BTW, owners of Ubisoft games with Uplay, beware: installation procedure creates a browser plugin for it's accompanying uplay launcher, which grants unexpectedly wide access to websites.
eureka is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kindle touch browser javascript capabilities iPocketBook Kindle Developer's Corner 14 01-03-2013 09:10 AM
Kindle 4 (Non-Touch) Can you DELETE the browser? nsomniac Amazon Kindle 3 03-30-2012 07:22 PM
Kindle Touch Bypass 3G Browser Restriction? copy1 Amazon Kindle 3 02-04-2012 02:52 PM
eReader.com Browser Search Plugin Zero9 Deals, Freebies, and Resources (No Self-Promotion) 0 07-24-2009 09:44 PM
BooksOnBoard Browser Search Plugin Zero9 Deals, Freebies, and Resources (No Self-Promotion) 10 07-24-2009 03:27 PM


All times are GMT -4. The time now is 09:06 PM.


MobileRead.com is a privately owned, operated and funded community.