5.16.2 Exploitable? system() call

GeorgeYellow · 10-21-2023, 12:18 PM

Looking at the differences between 5.16.2 and 5.16.3, I think I found a smoking gun of a change.

There is small difference the versions of "usr/lib/blanket/langpicker.so.1.0"
In the function: module_langpicker_utilDeleteExtraDictionaries

Before:

Code:

          __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2);
          pcVar6 = (char *)system(acStack_238);

after:

Code:

          __sprintf_chk(acStack_830,1,0x200,"%s/%s","/mnt/us/documents/dictionaries",pcVar2);
          pcVar6 = (char *)lab126_rmdir(acStack_830);

This was passing strings to "system()" which is a glaring problem.

Expanding out a bit:

Code:

  __dirp = opendir("/mnt/us/documents/dictionaries");
  if (__dirp == (DIR *)0x0) {
    if (iVar1 == 0) {
      return;
    }
  }
  else {
LAB_000134d4:
    pdVar4 = readdir(__dirp);
    if (pdVar4 != (dirent *)0x0) {
      pcVar2 = pdVar4->d_name;
      iVar5 = strcmp(pcVar2,".");
      if (((iVar5 != 0) && (iVar5 = strcmp(pcVar2,".."), iVar5 != 0)) &&
         (pcVar6 = strchr(pcVar2,0x2e), pcVar6 == (char *)0x0)) {
        puVar7 = (undefined4 *)g_list_find_custom(iVar1,pcVar2,&LAB_00012534);
        if (puVar7 == (undefined4 *)0x0) {
          __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2);
          pcVar6 = (char *)system(acStack_238);
          if ((pcVar6 == (char *)0x0) || ((g_blanket_llog_mask & 0x2000000) == 0))
          goto LAB_000134d4;
          pcVar2 = 
          "E langpicker:DELETE_DICTIONARIES_FAILED:returnCode=%d:Error deleting unneeded dictionary  directory"

It looks like this code walks through "/mnt/us/documents/dictionaries" (which is on the exposed file system!)

For each filename it finds, if it isn't in the list, it will append that filename to a string and pass it to system.

Using Shell escapes such as

Code:

`someprogram`

or

Code:

$(some program)

should be valid filenames.
However, slashes are NOT normally allowed (is that why there was a mention of corrupting the VFAT file system?)

Looking at the calling function, it appears to be: 'changeLocale'

This is called from the startup script "etc/upstart/langpicker.conf"

Code:

        # send the event to langpicker module to install the language
        lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US"

and from "langPicker" ("language_picker.js")

Code:

       setTimeout(function() {
            nativeBridge.sendLipcEvent(LIPC_PILLOW_SOURCE, "changeLocale", changeLocaleParams);
            actionsInactive = false;
        }, SPLASH_EVENT_TIME_OUT);

It does NOT appear to be called when changing the language in the GUI - but that uses Java (settings booklet) and not Javascript (language_picker.js).

So, the exploit path seems to be:

Create a file in documents/dictionaries with Shell injection to run something
Use 'mesquito' to call the LIPC function changeLocale

HackerDude · 10-21-2023, 02:51 PM

Watch me make this a POC

Thank you for this incredible find

HackerDude · 10-21-2023, 03:01 PM

nvm my kindle seems to have auto-updated to 5.16.3.1 :/

I must've forgotten to put it on airplane mode

But yes, it should be possible, I'll try to work on it despite not being able to test it...

HackerDude · 10-21-2023, 03:19 PM

Yep, Kindles now use:

https://en.cppreference.com/w/cpp/io/c/remove

To delete files

Subsonic2084 · 10-22-2023, 10:11 AM

I have a kindle PW5 with 5.15.1 and would be willing to help test any poc/jailbreak.

JSWolf · 10-22-2023, 10:18 AM

Quote:

Originally Posted by Subsonic2084

I have a kindle PW5 with 5.15.1 and would be willing to help test any poc/jailbreak.

Do you realize that you are risking bricking your PW5?

HackerDude · 10-22-2023, 03:26 PM

Update: I cannot get this to trigger, even with Mesquito

I can easily change languages via the event, but cannot trigger dictionary deletion at the moment...

luketheduke · 10-22-2023, 04:13 PM

Quote:

Originally Posted by Bluebotlabs

Update: I cannot get this to trigger, even with Mesquito

I can easily change languages via the event, but cannot trigger dictionary deletion at the moment...

Neither can I

Currently on 5.15.1.1.

Running

Code:

strings /usr/lib/blanket/langpicker.so.1.0

does show

Code:

...
rm -rf %s/%s
E langpicker:DELETE_DICTIONARIES_FAILED:returnCode=%d:Error deleting unneeded dictionary directory
...

so it should still be vulnerable.

Marek · 10-22-2023, 05:08 PM

From reading the code I think you have to switch to "zh-Hans-CN" while langpicker thinks you are in demo mode - this would be easiest achieved with Mesquito (gives us full LIPC access) which allows us to switch to demo mode, reload langpicker, switch back, switch the language while langpicker still thinks you are in demo mode and that should do it, i will be testing this tommorow.

HackerDude · 10-22-2023, 05:15 PM

Yeah, but the code requires a specific set of requirements to be fullfilled to actually delete the dictionary files, which are impossible to exploit under normal circumstances

basically doesn't seem to run unless you are initially setting it up or some very specific unattainable language setting

HackerDude · 10-22-2023, 05:16 PM

Quote:

Originally Posted by Marek

From reading the code I think you have to switch to "zh-Hans-CN" while langpicker thinks you are in demo mode - this would be easiest achieved with Mesquito (gives us full LIPC access) which allows us to switch to demo mode, reload langpicker, switch back, switch the language while langpicker still thinks you are in demo mode and that should do it, i will be testing this tommorow.

The only problem is I haven't been able to get Mesquito to reliably work in demo mode
Also some further requirement stuff (like the semicolon)

GeorgeYellow · 10-23-2023, 06:35 PM

This seems to be an ancient bug, it looks like it is there on firmwares that can be jailbroken by other means.

So in theory it's possible to send the lipc directly, but in practice the semicolon is a problem.

There seem to be two ways to get to the vulnerable area

1. The language tag would be "zh-Hans-CN;"

Code:

      module_langpicker_utilChangeLocale(param_3,pcVar9);
      pcVar9 = (char *)module_langpicker_utilGetLocaleLangTag(param_3,pcVar9);
      if ((*(int *)(param_3 + 8) != 0) &&
         (pcVar10 = strstr("zh-Hans-CN;",pcVar9), pcVar10 != (char *)0x0)) {
        module_langpicker_utilDeleteExtraDictionaries(param_3,pcVar9);
      }

It's possible to set "zh-Hans-CN", but without the semi-colon.

Does anyone know where the local tag comes from?
In the code, param_3 is "UserData", which seems to be set when registering the Lipc handler - but doesn't happen in this module?

2. After a factory reset?

Code:

      pcVar10 = strstr(__haystack,"-x-");
      pcVar4 = strstr(__haystack,"-tut_inst-");
      if (pcVar10 == (char *)0x0) {
        if (pcVar4 == (char *)0x0) {
          strcpy(pcVar9,__haystack);
          iVar6 = 0;
        }
...
      iVar5 = module_langpicker_utilDoesFileExist("/var/local/system/locale");
      if (iVar5 == 0) {
        if (iVar6 == 0) {
          iVar6 = module_langpicker_utilDoesFileExist("/var/local/system/factory_fresh");
          if (iVar6 == 0) {
            if ((g_blanket_llog_mask & 0x800000) != 0) {
              __syslog_chk(5,1,
                           "I langpicker:LANGPICKER:Skipping dictionary and font deletion:First Boot  file found"
                          );
            }
          }
          else {
            strncpy(acStack_64,pcVar9,0x31);
            local_33 = 0;
            module_langpicker_utilDeleteExtraDictionaries(param_3,pcVar9);
            module_langpicker_utilDeleteExtraContentPacks(param_3,acStack_64);
          }
        }

The only way for "/var/local/system/locale" and "/var/local/system/factory_fresh" to not exist seems to be running the OOBE code.

However, the factory reset is a problem, because that would wipe the user-store partition!
Maybe there's a way to enable usb-storage before selecting the language?

reminon · 10-23-2023, 09:39 PM

I have a scribe on 5.16.1.

Marek · 10-24-2023, 02:32 AM

Quote:

Originally Posted by GeorgeYellow

It's possible to set "zh-Hans-CN", but without the semi-colon.

Does anyone know where the local tag comes from?
In the code, param_3 is "UserData", which seems to be set when registering the Lipc handler - but doesn't happen in this module?

I don't think the semicolon should be a problem, the function strstr(a, b) searches for b in a (for "zh-Hans-CN" in "zh-Hans-CN;") and returns a pointer to the substring - thus it's not 0 when it's found (the condition is (*(int *)(param_3 + 8) != 0 && str(a, b) != 0)) so the problem in this is the param_3 shenanigans.
From what I can tell langpicker is a blanket module so the setup of it's UserData (param_3) would probably happen there during the load event.
From what I can tell param_3 is also passed to the actual delete function where the exact same pointer (*(int *)(param_3 + 8)) == 0 is used to tell whatever or not it should use locales or demo_locales from which i assume that it's set to 0 in normal mode and to a non zero value during demo_mode.

Further more langpicker.js seems to hint at that it's very crucial during the switch to demo mode - it is the first thing you see after boot when the demo boot flag is set and then does the rest of the transition - informing the system and creating the demo flag file - after that it reloads langpicker blanket module and continues showing it's UI

GeorgeYellow · 10-25-2023, 04:42 PM

I thought switching to demo wiped the user-store, but apparently it doesn't!

So, this is a working flow on a jailbroken Kindle (without Mesquito).
The only missing piece is doing the Mesquito LIPC pieces.

1. Create files in 'documents/directories'
I used the following two files:
abc`sleep 123`
abc`mkdir ${PWD}mnt${PWD}us${PWD}victory`

(if you don't put the abc at the beginning, you delete all of 'documents/dictionaries/"

2. Search on ";enter_demo"
This creates the demo flag, but doesn't reboot!

3. Need Mesquito to do this sequence of LIPC
nativeBridge.setLipcProperty("com.lab126.blanket", "unload", "langpicker");
nativeBridge.setLipcProperty("com.lab126.blanket", "load", "langpicker");

I did this with "lipc-set-prop" from the Kindle command-line

4. Search on ";exit_demo"
So the Kindle doesn't reboot into Demo mode ..
Blanket has already switched to Demo mode

5. Have Mesquito do the following two LIPC changes one after another (with a delay)
lipc-send-event com.lab126.blanket.langpicker changeLocale -s "zh-Hans-CN"
lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US"

6. After the sleep, the Kindle will reboot (!), but if all the steps are done properly it reboots in normal mode, without having changed to Chinese.
Also, there is now a 'victory' directory in the root of the shared folder!

10-21-2023, 12:18 PM	#1
GeorgeYellow Enthusiast Posts: 48 Karma: 50000 Join Date: Nov 2017 Device: Nook, Kindle	5.16.2 Exploitable? system() call Looking at the differences between 5.16.2 and 5.16.3, I think I found a smoking gun of a change. There is small difference the versions of "usr/lib/blanket/langpicker.so.1.0" In the function: module_langpicker_utilDeleteExtraDictionaries Before: Code: __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char )system(acStack_238); after: Code: __sprintf_chk(acStack_830,1,0x200,"%s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char )lab126_rmdir(acStack_830); This was passing strings to "system()" which is a glaring problem. Expanding out a bit: Code: __dirp = opendir("/mnt/us/documents/dictionaries"); if (__dirp == (DIR )0x0) { if (iVar1 == 0) { return; } } else { LAB_000134d4: pdVar4 = readdir(__dirp); if (pdVar4 != (dirent )0x0) { pcVar2 = pdVar4->d_name; iVar5 = strcmp(pcVar2,"."); if (((iVar5 != 0) && (iVar5 = strcmp(pcVar2,".."), iVar5 != 0)) && (pcVar6 = strchr(pcVar2,0x2e), pcVar6 == (char )0x0)) { puVar7 = (undefined4 )g_list_find_custom(iVar1,pcVar2,&LAB_00012534); if (puVar7 == (undefined4 )0x0) { __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char )system(acStack_238); if ((pcVar6 == (char *)0x0) \|\| ((g_blanket_llog_mask & 0x2000000) == 0)) goto LAB_000134d4; pcVar2 = "E langpicker:DELETE_DICTIONARIES_FAILED:returnCode=%d:Error deleting unneeded dictionary directory" It looks like this code walks through "/mnt/us/documents/dictionaries" (which is on the exposed file system!) For each filename it finds, if it isn't in the list, it will append that filename to a string and pass it to system. Using Shell escapes such as Code: `someprogram` or Code: $(some program) should be valid filenames. However, slashes are NOT normally allowed (is that why there was a mention of corrupting the VFAT file system?) Looking at the calling function, it appears to be: 'changeLocale' This is called from the startup script "etc/upstart/langpicker.conf" Code: # send the event to langpicker module to install the language lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US" and from "langPicker" ("language_picker.js") Code: setTimeout(function() { nativeBridge.sendLipcEvent(LIPC_PILLOW_SOURCE, "changeLocale", changeLocaleParams); actionsInactive = false; }, SPLASH_EVENT_TIME_OUT); It does NOT appear to be called when changing the language in the GUI - but that uses Java (settings booklet) and not Javascript (language_picker.js). So, the exploit path seems to be: Create a file in documents/dictionaries with Shell injection to run something Use 'mesquito' to call the LIPC function changeLocale

10-21-2023, 03:01 PM	#3
HackerDude Kindle Bricker Posts: 120 Karma: 862606 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick)	nvm my kindle seems to have auto-updated to 5.16.3.1 :/ I must've forgotten to put it on airplane mode But yes, it should be possible, I'll try to work on it despite not being able to test it... Last edited by HackerDude; 10-21-2023 at 03:04 PM.

10-21-2023, 03:19 PM	#4
HackerDude Kindle Bricker Posts: 120 Karma: 862606 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick)	Yep, Kindles now use: https://en.cppreference.com/w/cpp/io/c/remove To delete files Last edited by HackerDude; 10-22-2023 at 03:35 PM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hide System Fonts feature (make system fonts toggable)?	spedinfargo	KOReader	7	10-27-2022 09:11 PM
Kobo system cannot recognize fonts added into system-wide fonts directory?	codychan	Kobo Developer's Corner	11	12-08-2018 05:35 PM
how to clean more disk space in root file system to upgrade system	chinaet	iRex	1	12-18-2006 03:54 PM

10-21-2023, 02:51 PM	#2
HackerDude Kindle Bricker Posts: 120 Karma: 862606 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick)	Watch me make this a POC Thank you for this incredible find

10-22-2023, 10:11 AM	#5
Subsonic2084 Junior Member Posts: 1 Karma: 10 Join Date: Oct 2023 Device: Kindle PW5 fw 5.15.1	I have a kindle PW5 with 5.15.1 and would be willing to help test any poc/jailbreak.

10-22-2023, 03:26 PM	#7
HackerDude Kindle Bricker Posts: 120 Karma: 862606 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick)	Update: I cannot get this to trigger, even with Mesquito I can easily change languages via the event, but cannot trigger dictionary deletion at the moment...

10-22-2023, 05:08 PM	#9
Marek Groupie Posts: 194 Karma: 1512344 Join Date: Jul 2023 Device: PW3, PW4 :(, KT5, PW5, KLC	From reading the code I think you have to switch to "zh-Hans-CN" while langpicker thinks you are in demo mode - this would be easiest achieved with Mesquito (gives us full LIPC access) which allows us to switch to demo mode, reload langpicker, switch back, switch the language while langpicker still thinks you are in demo mode and that should do it, i will be testing this tommorow.

10-22-2023, 05:15 PM	#10
HackerDude Kindle Bricker Posts: 120 Karma: 862606 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick)	Yeah, but the code requires a specific set of requirements to be fullfilled to actually delete the dictionary files, which are impossible to exploit under normal circumstances basically doesn't seem to run unless you are initially setting it up or some very specific unattainable language setting

10-23-2023, 09:39 PM	#13
reminon Enthusiast Posts: 28 Karma: 12656 Join Date: Aug 2023 Device: Kindle Scribe.	I have a scribe on 5.16.1.

10-25-2023, 04:42 PM	#15
GeorgeYellow Enthusiast Posts: 48 Karma: 50000 Join Date: Nov 2017 Device: Nook, Kindle	I thought switching to demo wiped the user-store, but apparently it doesn't! So, this is a working flow on a jailbroken Kindle (without Mesquito). The only missing piece is doing the Mesquito LIPC pieces. 1. Create files in 'documents/directories' I used the following two files: abc`sleep 123` abc`mkdir ${PWD}mnt${PWD}us${PWD}victory` (if you don't put the abc at the beginning, you delete all of 'documents/dictionaries/" 2. Search on ";enter_demo" This creates the demo flag, but doesn't reboot! 3. Need Mesquito to do this sequence of LIPC nativeBridge.setLipcProperty("com.lab126.blanket", "unload", "langpicker"); nativeBridge.setLipcProperty("com.lab126.blanket", "load", "langpicker"); I did this with "lipc-set-prop" from the Kindle command-line 4. Search on ";exit_demo" So the Kindle doesn't reboot into Demo mode .. Blanket has already switched to Demo mode 5. Have Mesquito do the following two LIPC changes one after another (with a delay) lipc-send-event com.lab126.blanket.langpicker changeLocale -s "zh-Hans-CN" lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US" 6. After the sleep, the Kindle will reboot (!), but if all the steps are done properly it reboots in normal mode, without having changed to Chinese. Also, there is now a 'victory' directory in the root of the shared folder!

Advert

Advert