Thread: Kindle Touch (K5) has been rooted!
View Single Post
Old 12-11-2011, 10:20 AM   #11
kacir
Wizard
kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.kacir ought to be getting tired of karma fortunes by now.
 
kacir's Avatar
 
Posts: 3,463
Karma: 10684861
Join Date: May 2006
Device: PocketBook 360, before it was Sony Reader, cassiopeia A-20
Quote:
Originally Posted by HarryT View Post
Even if the Kindle had a buffer overflow "exploit" in its MP3 player (and I've never heard anyone say that it does), do you really think that anyone is going to go to the trouble of adding code to an MP3 file which will execute on the extremely obscure ARM Freescale processor that the Kindle uses? I really, REALLY doubt it myself.
Harry. Please go and have a look how this hack was done.
This is no obscure buffer overflow exploit.
http://yifan.lu/2011/12/10/kindle-to...kroot-and-ssh/

Mp3 file contains tags. Such as name of singer or name of song. Those tags are displayed by player "application" that is, in reality, just a web browser window in disguise. Most of the menus and applications on Kindle touch are in fact HTML 5 pages with Java script and CSS. So the author of the hack simply inserted some Java script code into the mp3 tag and the browser happily displayed the tag - executing the Java script code (function called nativeBridge.dbgCmd(); that can execute any shell script as root) in the process without sanitising input.
kacir is offline   Reply With Quote