|
Still looking for an exploit in the PDF renderer. So far, there isn't much progress. I found one stack overflow bug in the PDF loader, but unfortunately, the code seems to be for debugging or future implementation or something, as it will never be called (AFAIK, need more research). The function is supposed to build a complete path for a PDF file when passed just the file name, and skip it if passed an already complete path. Problem is, that it seems like the Kindle will always pass a complete path where the bug is in the creation of the path. Basically, it created a stack of 0x200 bytes, memset() it to zero, and call getcwd() to get the current directory. However, afterwards, it calls strncat to add the filename. However, strncat is passed with size_t max_len set to 0x200. This means if the length of the filename + path is > 0x200 bytes, it would overflow the stack, allowing us to write the return pointer. It would be great if I can use this, but it's just amazon teasing us.
I want to start a IRC or something. If there's anyone else working on the jailbreak, please contact me.
|