MobileRead Forums - View Single Post

GeorgeYellow · 10-21-2023, 12:18 PM

Looking at the differences between 5.16.2 and 5.16.3, I think I found a smoking gun of a change.

There is small difference the versions of "usr/lib/blanket/langpicker.so.1.0"
In the function: module_langpicker_utilDeleteExtraDictionaries

Before:

Code:

          __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2);
          pcVar6 = (char *)system(acStack_238);

after:

Code:

          __sprintf_chk(acStack_830,1,0x200,"%s/%s","/mnt/us/documents/dictionaries",pcVar2);
          pcVar6 = (char *)lab126_rmdir(acStack_830);

This was passing strings to "system()" which is a glaring problem.

Expanding out a bit:

Code:

  __dirp = opendir("/mnt/us/documents/dictionaries");
  if (__dirp == (DIR *)0x0) {
    if (iVar1 == 0) {
      return;
    }
  }
  else {
LAB_000134d4:
    pdVar4 = readdir(__dirp);
    if (pdVar4 != (dirent *)0x0) {
      pcVar2 = pdVar4->d_name;
      iVar5 = strcmp(pcVar2,".");
      if (((iVar5 != 0) && (iVar5 = strcmp(pcVar2,".."), iVar5 != 0)) &&
         (pcVar6 = strchr(pcVar2,0x2e), pcVar6 == (char *)0x0)) {
        puVar7 = (undefined4 *)g_list_find_custom(iVar1,pcVar2,&LAB_00012534);
        if (puVar7 == (undefined4 *)0x0) {
          __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2);
          pcVar6 = (char *)system(acStack_238);
          if ((pcVar6 == (char *)0x0) || ((g_blanket_llog_mask & 0x2000000) == 0))
          goto LAB_000134d4;
          pcVar2 = 
          "E langpicker:DELETE_DICTIONARIES_FAILED:returnCode=%d:Error deleting unneeded dictionary  directory"

It looks like this code walks through "/mnt/us/documents/dictionaries" (which is on the exposed file system!)

For each filename it finds, if it isn't in the list, it will append that filename to a string and pass it to system.

Using Shell escapes such as

Code:

`someprogram`

or

Code:

$(some program)

should be valid filenames.
However, slashes are NOT normally allowed (is that why there was a mention of corrupting the VFAT file system?)

Looking at the calling function, it appears to be: 'changeLocale'

This is called from the startup script "etc/upstart/langpicker.conf"

Code:

        # send the event to langpicker module to install the language
        lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US"

and from "langPicker" ("language_picker.js")

Code:

       setTimeout(function() {
            nativeBridge.sendLipcEvent(LIPC_PILLOW_SOURCE, "changeLocale", changeLocaleParams);
            actionsInactive = false;
        }, SPLASH_EVENT_TIME_OUT);

It does NOT appear to be called when changing the language in the GUI - but that uses Java (settings booklet) and not Javascript (language_picker.js).

So, the exploit path seems to be:

Create a file in documents/dictionaries with Shell injection to run something
Use 'mesquito' to call the LIPC function changeLocale

10-21-2023, 12:18 PM	#1
GeorgeYellow Enthusiast Posts: 49 Karma: 50000 Join Date: Nov 2017 Device: Nook, Kindle	5.16.2 Exploitable? system() call Looking at the differences between 5.16.2 and 5.16.3, I think I found a smoking gun of a change. There is small difference the versions of "usr/lib/blanket/langpicker.so.1.0" In the function: module_langpicker_utilDeleteExtraDictionaries Before: Code: __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char )system(acStack_238); after: Code: __sprintf_chk(acStack_830,1,0x200,"%s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char )lab126_rmdir(acStack_830); This was passing strings to "system()" which is a glaring problem. Expanding out a bit: Code: __dirp = opendir("/mnt/us/documents/dictionaries"); if (__dirp == (DIR )0x0) { if (iVar1 == 0) { return; } } else { LAB_000134d4: pdVar4 = readdir(__dirp); if (pdVar4 != (dirent )0x0) { pcVar2 = pdVar4->d_name; iVar5 = strcmp(pcVar2,"."); if (((iVar5 != 0) && (iVar5 = strcmp(pcVar2,".."), iVar5 != 0)) && (pcVar6 = strchr(pcVar2,0x2e), pcVar6 == (char )0x0)) { puVar7 = (undefined4 )g_list_find_custom(iVar1,pcVar2,&LAB_00012534); if (puVar7 == (undefined4 )0x0) { __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char )system(acStack_238); if ((pcVar6 == (char *)0x0) \|\| ((g_blanket_llog_mask & 0x2000000) == 0)) goto LAB_000134d4; pcVar2 = "E langpicker:DELETE_DICTIONARIES_FAILED:returnCode=%d:Error deleting unneeded dictionary directory" It looks like this code walks through "/mnt/us/documents/dictionaries" (which is on the exposed file system!) For each filename it finds, if it isn't in the list, it will append that filename to a string and pass it to system. Using Shell escapes such as Code: `someprogram` or Code: $(some program) should be valid filenames. However, slashes are NOT normally allowed (is that why there was a mention of corrupting the VFAT file system?) Looking at the calling function, it appears to be: 'changeLocale' This is called from the startup script "etc/upstart/langpicker.conf" Code: # send the event to langpicker module to install the language lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US" and from "langPicker" ("language_picker.js") Code: setTimeout(function() { nativeBridge.sendLipcEvent(LIPC_PILLOW_SOURCE, "changeLocale", changeLocaleParams); actionsInactive = false; }, SPLASH_EVENT_TIME_OUT); It does NOT appear to be called when changing the language in the GUI - but that uses Java (settings booklet) and not Javascript (language_picker.js). So, the exploit path seems to be: Create a file in documents/dictionaries with Shell injection to run something Use 'mesquito' to call the LIPC function changeLocale