CVE-2020-15999 => Kindle jailbreak now possible

ajoseph · 11-11-2020, 10:25 PM

Hey folks, there's a heap overflow in the freetype font rendering library, which (I'm virtually certain) the Kindle is using for user-provided fonts as well as for PDF rendering.

Here's the CVE:

https://www.cybersecurity-help.cz/vdb/SB2020102038

Most reports are calling this a "Google Chrome" weakness because that's where it was exploited first, but the vulnerability is actually in Freetype, which Google bundles with Chrome. So anything using Freetype two weeks ago is vulnerable.

I'm more of an embedded hardware guy and have never written exploits before, so trying to pull together a jailbreak on my own is probably a multi-month project... somebody with more experience can probably do it a lot quicker.

If you have past experience with jailbreaking Kindles and have a price in mind let me know. I'm willing to pay good money for a Kindle Oasis 3 jailbreak. It's the perfect piece of hardware for me except for the fact that I can't replace the software.

If anybody who has successfully authored a jailbreak in the past wants to take a crack at this I will send you a free KOA3 (I have a spare). Both my "daily driver" and this spare have never been connected to Wifi, so they didn't get the recent update (which I'm pretty sure closes this vuln). You need to demonstrate that you were the first to publish a jailbreak for one of the previous kindles, and publicly commit to working on this.

NiLuJe · 11-11-2020, 11:30 PM

I'm 95% sure lab126's FT build never actually shipped with PNG support, so, nope?

EDIT: Yup. Neither does Kobo, nor KOReader/Plato.

ajoseph · 11-12-2020, 02:54 AM

Quote:

Originally Posted by NiLuJe

I'm 95% sure lab126's FT build never actually shipped with PNG support, so, nope?

EDIT: Yup. Neither does Kobo, nor KOReader/Plato.

PDF, not PNG.

This also affects any ebook reader that can load "publisher-provided" fonts. You know, like where the ebook includes its own font. I know not a lot of them do, but a lot of ebook readers support it.

Freetype is one of only a tiny number of modern font rasterization libraries, and the only one that's open source. Basically everybody except Apple and Microsoft use Freetype.

NiLuJe · 11-12-2020, 10:32 AM

Err, what does PDF (by which I assume you meant Type 1 fonts?) have to do with this?

This affects a block of code behind a giant FT_CONFIG_OPTION_USE_PNG ifdef, in a file named pngshim :?
(i.e., the --with-png autoconf switch)

DNSB · 11-12-2020, 11:13 AM

As I read the CVE, it has nothing to do with PDF or Type 1 fonts. To quote: "specially crafted TTF file with PNG sbit glyphs". There are sample TTF files floating around the dark edges of the Internet that will trigger this issue. Whether a Amazon ereader is vulnerable is a good question since libfreetype.so.whatever is included in the installed code.

NiLuJe · 11-12-2020, 11:14 AM

Yup, and it's indeed not linked against libpng, at all, which was my original point (i.e., that this whole discussion is moot) ^^.

11-11-2020, 10:25 PM	#1
ajoseph Member Posts: 10 Karma: 10 Join Date: Jul 2020 Device: Kobo Forma running KOReader	CVE-2020-15999 => Kindle jailbreak now possible Hey folks, there's a heap overflow in the freetype font rendering library, which (I'm virtually certain) the Kindle is using for user-provided fonts as well as for PDF rendering. Here's the CVE: https://www.cybersecurity-help.cz/vdb/SB2020102038 Most reports are calling this a "Google Chrome" weakness because that's where it was exploited first, but the vulnerability is actually in Freetype, which Google bundles with Chrome. So anything using Freetype two weeks ago is vulnerable. I'm more of an embedded hardware guy and have never written exploits before, so trying to pull together a jailbreak on my own is probably a multi-month project... somebody with more experience can probably do it a lot quicker. If you have past experience with jailbreaking Kindles and have a price in mind let me know. I'm willing to pay good money for a Kindle Oasis 3 jailbreak. It's the perfect piece of hardware for me except for the fact that I can't replace the software. If anybody who has successfully authored a jailbreak in the past wants to take a crack at this I will send you a free KOA3 (I have a spare). Both my "daily driver" and this spare have never been connected to Wifi, so they didn't get the recent update (which I'm pretty sure closes this vuln). You need to demonstrate that you were the first to publish a jailbreak for one of the previous kindles, and publicly commit to working on this.

11-11-2020, 11:30 PM	#2
NiLuJe BLAM! Posts: 13,477 Karma: 26012494 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	I'm 95% sure lab126's FT build never actually shipped with PNG support, so, nope? EDIT: Yup. Neither does Kobo, nor KOReader/Plato. Last edited by NiLuJe; 11-11-2020 at 11:57 PM.

11-12-2020, 10:32 AM	#4
NiLuJe BLAM! Posts: 13,477 Karma: 26012494 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	Err, what does PDF (by which I assume you meant Type 1 fonts?) have to do with this? This affects a block of code behind a giant FT_CONFIG_OPTION_USE_PNG ifdef, in a file named pngshim :? (i.e., the --with-png autoconf switch) Last edited by NiLuJe; 11-12-2020 at 01:04 PM.

11-12-2020, 11:14 AM	#6
NiLuJe BLAM! Posts: 13,477 Karma: 26012494 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	Yup, and it's indeed not linked against libpng, at all, which was my original point (i.e., that this whole discussion is moot) ^^. Last edited by NiLuJe; 11-12-2020 at 01:01 PM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hacks Kindle (3) Keyboard : Upgrade and Jailbreak or Jailbreak and Upgrade??	prado	Amazon Kindle	3	06-11-2021 10:13 PM
Amazon Kindle, firmware 5.6.5, about jailbreak closed kindle.	Lenorav	Kindle Developer's Corner	6	04-26-2016 04:39 PM
Jailbreak going from Kindle DX original to Kindle DX Graphite Int.	sleeplessdave	Kindle Developer's Corner	23	12-11-2011 07:40 PM
Exploit-CVE-2010-2738 in Ermine updates?	DoghouseReilley	enTourage eDGe	11	07-26-2011 04:09 PM
kindle dxg with fw 2.5.8 install kindle-jailbreak-0.6.N failed	icress	Amazon Kindle	1	03-31-2011 02:20 PM

11-12-2020, 11:13 AM	#5
DNSB Bibliophagist Posts: 35,401 Karma: 145435140 Join Date: Jul 2010 Location: Vancouver Device: Kobo Sage, Forma, Clara HD, Lenovo M8 FHD, Paperwhite 4, Tolino epos	As I read the CVE, it has nothing to do with PDF or Type 1 fonts. To quote: "specially crafted TTF file with PNG sbit glyphs". There are sample TTF files floating around the dark edges of the Internet that will trigger this issue. Whether a Amazon ereader is vulnerable is a good question since libfreetype.so.whatever is included in the installed code.