|  04-14-2012, 02:31 PM | #1 | 
| but forgot what it's like            Posts: 741 Karma: 2345678 Join Date: Dec 2011 Location: north (by northwest) Device: Kindle Touch | 
				
				[Kindle Touch] Scriptable browser plugin included in 5.1.0
			 
			
			5.1.0 has introduced NPAPI plugin /usr/lib/libkindleplugin.so (symlinked to /usrl/lib/browser/plugins/libkindleplugin.so) which is used by system-wide WebKit engine. It is scriptable plugin, so webpage can embed it and invoke it's "exported" native methods. To embed: Code: <embed type="application/kindle-chrome-scriptable-plugin"> So far, I've found following "exported" properties and methods: 
 I hope someone more proficient in understanding of disassembled ARM C++ code will share more information about plugin's methods usage.  To disable plugin, just change extension of symlink in /usr/lib/browser/plugins (or remove this symlink). I believe, it will be sufficient. UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector. Last edited by eureka; 07-30-2012 at 05:49 AM. Reason: hooray, there is official update addressing possible security issue | 
|   |   | 
|  04-16-2012, 08:44 AM | #2 | 
| Groupie   Posts: 153 Karma: 113 Join Date: Jan 2012 Location: Russia Device: Kindle Touch | 
			
			Hmm... *imagines a web page that removes Ads using ToDo mechanism*
		 | 
|   |   | 
|  04-18-2012, 08:23 PM | #3 | 
| but forgot what it's like            Posts: 741 Karma: 2345678 Join Date: Dec 2011 Location: north (by northwest) Device: Kindle Touch | 
			
			They are working. Code: /**
 * Get Lipc property (only int or string, not hasharray).
 *
 * @param {string} publisher The unique name of the publisher of the property.
 * @param {string} propertyName Name of the property to get.
 *
 * @return {string|int} Property value
 */
function plugin.lipc.get(publisher, propertyName) { ... }Code: /**
 * Set Lipc property (only int or string, not hasharray).
 *
 * @param {string} publisher The unique name of the publisher of the property.
 * @param {string} propertyName Name of the property to get.
 * @param {string|int} propertyValue Value to set.
 *
 * @return "success"
 */
function plugin.lipc.set(publisher, propertyName, propertyValue) { ... }Code: /**
 * Write into log for wafapp process and com.lab126.browser app id.
 *
 * @param {string} subsystemName First part of log message (usually used for identifier of log writer).
 * @param {string} message Second part of log message (usually used for actual log message).
 * @param {string} severity Must be one of the: "info", "warn", "error", "debug", "perf".
 *
 * @return "success"
 */
function plugin.dev.log(subsystemName, message, severity) { ... }Code: /**
 * Pass string to ToDo through setting of Lipc property `scheduleToDoItems`.
 *
 * @param {string} todoDocument ToDo document.
 *
 * @return "success"
 */
function plugin.todo.scheduleItems(todoDocument) { ... } | 
|   |   | 
|  04-22-2012, 02:25 PM | #4 | 
| hub            Posts: 715 Karma: 2151032 Join Date: Jan 2012 Location: Iranian in Canada Device: K3G, DXG, Kobo mini | 
			
			This looks really interesting! I'm interested in integrating other plugins to WebKit. Do you think this is possible by putting corresponding *.so libraries in /usr/lib/browser/plugins/? | 
|   |   | 
|  05-27-2012, 11:03 AM | #5 | 
| but forgot what it's like            Posts: 741 Karma: 2345678 Join Date: Dec 2011 Location: north (by northwest) Device: Kindle Touch | 
			
			I found the way to execute any shell code with root privileges via setting of LIPC property: Code: lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'" On the other hand, it could be used in new method for easy jailbreaking through website.  BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you? Anyway, I recommend to disable this plugin. Execute in SSH session: Code: mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector. Last edited by eureka; 07-30-2012 at 05:50 AM. Reason: hooray, there is official update addressing possible security issue | 
|   |   | 
|  05-27-2012, 11:12 AM | #6 | |
| Carpe diem, c'est la vie.            Posts: 6,433 Karma: 10773670 Join Date: Nov 2011 Location: Multiverse 6627A Device: K1 to PW3 | Quote: 
  ... and somebody needs to IMPLEMENT the code and web page too.   Last edited by geekmaster; 05-27-2012 at 11:18 AM. | |
|   |   | 
|  05-27-2012, 11:21 AM | #7 | 
| Wizard            Posts: 1,379 Karma: 2155307 Join Date: Nov 2010 Location: Goettingen, Germany Device: Kindle Paperwhite, Kobo Mini | 
			
			I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...
		 | 
|   |   | 
|  05-27-2012, 11:25 AM | #8 | 
| (offline)            Posts: 2,907 Karma: 6736094 Join Date: Dec 2011 Device: K3, K4, K5, KPW, KPW2 | 
			
			@eureka: Great job!   As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread. | 
|   |   | 
|  05-27-2012, 11:27 AM | #9 | 
| Carpe diem, c'est la vie.            Posts: 6,433 Karma: 10773670 Join Date: Nov 2011 Location: Multiverse 6627A Device: K1 to PW3 | 
			
			You did notice the wink and grin. Yes, a 3G botnet could be especially costly for amazon (especially if it used the "social network" loop-hole out to the unrestricted internet on touch 3G).
		 | 
|   |   | 
|  05-27-2012, 11:31 AM | #10 | |
| Going Viral            Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA | Quote: 
 One "common" practice is to make the browser suid and the user id as "nobody" (with "nobody" not having any privledges of any kind). Not sure if the Kindle's have such a user already setup, but somebody with time on their hands might check this out for us. | |
|   |   | 
|  05-27-2012, 11:51 AM | #11 | 
| Carpe diem, c'est la vie.            Posts: 6,433 Karma: 10773670 Join Date: Nov 2011 Location: Multiverse 6627A Device: K1 to PW3 | 
			
			If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar. So, I am surprised that this lipc command runs things as root. Last edited by geekmaster; 05-27-2012 at 12:14 PM. | 
|   |   | 
|  05-27-2012, 12:23 PM | #12 | 
| (offline)            Posts: 2,907 Karma: 6736094 Join Date: Dec 2011 Device: K3, K4, K5, KPW, KPW2 | |
|   |   | 
|  05-27-2012, 12:32 PM | #13 | |
| Going Viral            Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA | Quote: 
 But do not take my post as an indication that I confirmed the report. Some additional confirmation would be nice to see from other users. | |
|   |   | 
|  05-27-2012, 02:29 PM | #14 | |
| THE NOOB            Posts: 708 Karma: 1545649 Join Date: Jan 2012 Location: Italy Device: Kindle Touch 5.3.2 | Quote: 
 Thanks a lot!!   I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).  Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...   | |
|   |   | 
|  05-27-2012, 06:17 PM | #15 | 
| BLAM!            Posts: 13,506 Karma: 26047202 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E | 
			
			Am I the only one that finds this somewhat funny? Anyway, good job!   | 
|   |   | 
|  | 
| 
 | 
|  Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post | 
| Kindle touch browser javascript capabilities | iPocketBook | Kindle Developer's Corner | 14 | 01-03-2013 09:10 AM | 
| Kindle 4 (Non-Touch) Can you DELETE the browser? | nsomniac | Amazon Kindle | 3 | 03-30-2012 07:22 PM | 
| Kindle Touch Bypass 3G Browser Restriction? | copy1 | Amazon Kindle | 3 | 02-04-2012 02:52 PM | 
| eReader.com Browser Search Plugin | Zero9 | Deals and Resources (No Self-Promotion or Affiliate Links) | 0 | 07-24-2009 09:44 PM | 
| BooksOnBoard Browser Search Plugin | Zero9 | Deals and Resources (No Self-Promotion or Affiliate Links) | 10 | 07-24-2009 03:27 PM |