[Kindle Touch] Scriptable browser plugin included in 5.1.0

[geekmaster]

Quote:

Originally Posted by NiLuJe

Am I the only one that finds this somewhat funny?

Anyway, good job!

It is very funny, until amazon gets a big 3G bill for a 3G botnet installed on kindles that visited an infected web page when connected using wifi.

Unless amazon patched it in 5.1.0, you could previously visit any web page over 3G by clicking a link to google on a facebook "desktop site" page, from social networking. There was a youtube video showing this but google seems to not be finding it now.

Aha... found it. This worked on stock firmware, no jailbreak, no hacks. It seems that accessing the web with the social network "browser" uses a relaxed rule set. I see that the video says that it is also for 5.1.0. This new updated video was just posted 2 weeks ago. I am sure that I first saw this long before 5.1.0 was around. The old one showed a closeup of the 3G connection. This one cheats and uses wifi, but he SAYS it also works on 3G. The old video SHOWED a 3G demo. I wonder if the old video is still out there,,,

Of course, this is complicated enough to be only useful in a real emergency, or by an automated tool such as a botnet might use.

Also, after the gaping security hole announced in this thread, it may be worth looking for more security screw-ups that they added to this firmware version. Perhaps we can get root shell from the search bar now by escalating a framework shell? (FYI I used a netcat reverse shell started from the home page search bar when I was trying to get root on 5.0.0, running as user "framework", back before the MP3 jailbreak).

Note to amazon staff: We want root access so we can add fun things to our kindles, such as these:
geekmaster kindle video player: https://www.mobileread.com/forums/sho...d.php?t=177455
[Kindle Touch] xterm & matchbox-keyboard: https://www.mobileread.com/forums/sho...d.php?t=179286
newtrix - geekmaster's new tricks: https://www.mobileread.com/forums/sho...d.php?t=176802
But ESPECIALLY so we can continue to help debrick kindles for people who found us AFTER your firmware updates bricked their unmodified kindle. Please continue to add features and fix bugs (instead of adding new bugs like 5.1.0 did, which bricked a lot of kindles). But while you are making things BETTER, do not lock us out! Adding obfuscation to the java code in 5.1.0 is very annoying but does not really slow anybody down. Please stop doing that crap, okay?

[ixtab]

Quote:

Originally Posted by geekmaster

Note to amazon staff: We want root access so we can add fun things to our kindles, such as these:
geekmaster kindle video player: https://www.mobileread.com/forums/sho...d.php?t=177455
[Kindle Touch] xterm & matchbox-keyboard: https://www.mobileread.com/forums/sho...d.php?t=179286
newtrix - geekmaster's new tricks: https://www.mobileread.com/forums/sho...d.php?t=176802
But ESPECIALLY so we can continue to help debrick kindles for people who found us AFTER your firmware updates bricked their unmodified kindle. Please continue to add features and fix bugs (instead of adding new bugs like 5.1.0 did, which bricked a lot of kindles). But while you are making things BETTER, do not lock us out! Adding obfuscation to the java code in 5.1.0 is very annoying but does not really slow anybody down. Please stop doing that crap, okay?
[/COLOR]

Shamelessly plugging in here.

@Amazon:

While you're at it... this post contains a similar request, and similar arguments (read the parts in red).

This forum is not a threat to you. On the contrary: We are, in fact, helping you to make your products better, and we support your user base. So please, just stop making our lives more difficult for no reason.

[eureka]

No, they will not read it. They don't look here. Only I am reading your entreaties here

Anyway, did anybody wrote to Amazon/Lab126 about this attack vector? I'm really think this forum isn't monitored by Amazon staff. And while I personally will not contact with Amazon, I have no objections about reporting it ASAP.

[geekmaster]

Quote:

Originally Posted by eureka

No, they will not read it. They don't look here. Only I am reading your entreaties here

Anyway, did anybody wrote to Amazon/Lab126 about this attack vector? I'm really think this forum isn't monitored by Amazon staff. And while I personally will not contact with Amazon, I have no objections about reporting it ASAP.

Actually, amazon tech staff *did* read this particular thread. This "attack vector" will probably be closed soon. That is why we asked them here to not OVER protect it.

[ixtab]

BTW, this has just been covered on the largest german-speaking IT website: http://www.heise.de/meldung/Sicherhe...h-1636888.html

I guess this puts a bit more pressure on Amazon to finally roll out a fix for the issue: "Gegenüber heise Security erklärte Amazons Sicherheitsabteilung, dass sie bereits an einem Patch arbeitet." -- "Amazon's security department told heise Security that they are already working on a patch".

[geekmaster]

It will be "interesting" to see what new exploitable bugs they add when they fix this one.

I wonder why it is taking them so long to fix this one...

[ixtab]

OK, so... I'm attaching an update package which can disable (or re-enable) the vulnerability, until Amazon comes up with a proper patch.

To install the package, your device obviously needs to be jailbroken. Ironically, if needed, the jailbreak can be installed using the very vulnerability that this package fixes

EDIT: There's a typo in the README: Of course, the vulnerability isn't triggered, but it (rather: its availability) is toggled. Sorry for the potential confusion.

EDIT 2: This is obsolete. The vulnerability has been fixed with Firmware 5.1.2.

[bhaak]

I wonder who gave Heise the hint about this exploit or which of the forum goers in here is a Heise employee.

Or maybe it was time again for a Kindle article and Heise didn't have anything else to write about.

[bhaak]

Quote:

Originally Posted by ixtab

OK, so... I'm attaching an update package which can disable (or re-enable) the vulnerability, until Amazon comes up with a proper patch.

To install the package, your device obviously needs to be jailbroken. Ironically, if needed, the jailbreak can be installed using the very vulnerability that this package fixes

He, but for really be safe from browser exploits you should have removed more than just the symlink to libkindleplugin.so. Nobody is using that browser anyway, it's only use is for jailbreaks.

[mmatej]

Quote:

Originally Posted by ixtab

OK, so... I'm attaching an update package which can disable (or re-enable) the vulnerability, until Amazon comes up with a proper patch.

To install the package, your device obviously needs to be jailbroken. Ironically, if needed, the jailbreak can be installed using the very vulnerability that this package fixes

EDIT: There's a typo in the README: Of course, the vulnerability isn't triggered, but it (rather: its availability) is toggled. Sorry for the potential confusion.

I've added it to the jailbreak site, so (hopefully) more users will have their devices patched.

[eureka]

It's old news already, but I'd like to see them here for completeness.

Update to 5.1.2 (amongst other changes) deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector.

I didn't update to 5.1.2 yet, so I can't confirm, whether setting of LIPC property of com.lab126.system still allow executing of arbitrary shell code. Anybody willing to check? (Anyway, it's a minor nuisance, as without browser plugin there is no more obvious remote access to KT.)

BTW, owners of Ubisoft games with Uplay, beware: installation procedure creates a browser plugin for it's accompanying uplay launcher, which grants unexpectedly wide access to websites.