Possible exploit lead.

[reminon]

My knowledge on this is limited. I just thought it was interesting and wondered if it may be a possible avenue. I may be way off the mark and it may be useless for kindle's. If an exploit dev on here wants to look at it and give their opinion on it that would be awesome.

To onlookers. I am not a dev so please don't message me with questions on it.

I was looking at the bleedingtooth exploit chain and wondered if it would be viable for use on our kindle's. It allows a remote attacker to gain full control on a target linux system over Bluetooth. Here's the link: https://github.com/google/security-r.../bleedingtooth

I checked through the kernel source for 5.16.1 on my scribe, and none of the fixes after the CVE's were released that make up the chain are implemented.

I figure that maybe at the very least, kernel offsets would have to be updated for it since the poc was written for kernel 5.4.0-48 and 5.16.1 is on kernel 4.9.

The other issue is that the kindle "at least the Scribe" will only connect to a bt device that has its bt class type set to audio receiver. Doing this was trivial on Ubuntu by modifying the /etc/bluetooth/main.conf file. Afterwards I was able to pair my steam deck and kindle.

I was able to compile the poc exploit.c. The only dependency I needed was libbluetooth-dev.

When running the exploit, I ran it with ./exploit "kindle bt MAC" "127.0.0.1" "1337" without quotes. The exploit will run and appears to either be successfully running the exploit or atleast not throwing any errors. It stops at "Leaking A2MP kernel stack memory..". The next step in the Readme says to open a new terminal and use nc to connect to the exploit and run commands. I can get nc to listen on localhost on the right port, but nothing changes in the original terminal, and nc gives no feedback either. I feel like I'm close to getting it working and running a root shell, but I have hit the limit of my knowledge.

If you read to the end, thanks for looking. Again. I'm probably wrong, but would feel worse if I didn't ask about it. If someone finds it viable and needs any testing, I'm up for it.

On a side note, by changing the bt class on my steam deck, I could use it as a Bluetooth speaker for my kindle and audio books. Pointless but I found it funny. Lol

[Averagekindlefan]

Quote:

Originally Posted by reminon

My knowledge on this is limited. I just thought it was interesting and wondered if it may be a possible avenue. I may be way off the mark and it may be useless for kindle's. If an exploit dev on here wants to look at it and give their opinion on it that would be awesome.

To onlookers. I am not a dev so please don't message me with questions on it.

I was looking at the bleedingtooth exploit chain and wondered if it would be viable for use on our kindle's. It allows a remote attacker to gain full control on a target linux system over Bluetooth. Here's the link: https://github.com/google/security-r.../bleedingtooth

I checked through the kernel source for 5.16.1 on my scribe, and none of the fixes after the CVE's were released that make up the chain are implemented.

I figure that maybe at the very least, kernel offsets would have to be updated for it since the poc was written for kernel 5.4.0-48 and 5.16.1 is on kernel 4.9.

The other issue is that the kindle "at least the Scribe" will only connect to a bt device that has its bt class type set to audio receiver. Doing this was trivial on Ubuntu by modifying the /etc/bluetooth/main.conf file. Afterwards I was able to pair my steam deck and kindle.

I was able to compile the poc exploit.c. The only dependency I needed was libbluetooth-dev.

When running the exploit, I ran it with ./exploit "kindle bt MAC" "127.0.0.1" "1337" without quotes. The exploit will run and appears to either be successfully running the exploit or atleast not throwing any errors. It stops at "Leaking A2MP kernel stack memory..". The next step in the Readme says to open a new terminal and use nc to connect to the exploit and run commands. I can get nc to listen on localhost on the right port, but nothing changes in the original terminal, and nc gives no feedback either. I feel like I'm close to getting it working and running a root shell, but I have hit the limit of my knowledge.

If you read to the end, thanks for looking. Again. I'm probably wrong, but would feel worse if I didn't ask about it. If someone finds it viable and needs any testing, I'm up for it.

On a side note, by changing the bt class on my steam deck, I could use it as a Bluetooth speaker for my kindle and audio books. Pointless but I found it funny. Lol

ok ty for the info