11-11-2020, 10:25 PM | #1 |
Member
Posts: 10
Karma: 10
Join Date: Jul 2020
Device: Kobo Forma running KOReader
|
CVE-2020-15999 => Kindle jailbreak now possible
Hey folks, there's a heap overflow in the freetype font rendering library, which (I'm virtually certain) the Kindle is using for user-provided fonts as well as for PDF rendering.
Here's the CVE: https://www.cybersecurity-help.cz/vdb/SB2020102038 Most reports are calling this a "Google Chrome" weakness because that's where it was exploited first, but the vulnerability is actually in Freetype, which Google bundles with Chrome. So anything using Freetype two weeks ago is vulnerable. I'm more of an embedded hardware guy and have never written exploits before, so trying to pull together a jailbreak on my own is probably a multi-month project... somebody with more experience can probably do it a lot quicker. If you have past experience with jailbreaking Kindles and have a price in mind let me know. I'm willing to pay good money for a Kindle Oasis 3 jailbreak. It's the perfect piece of hardware for me except for the fact that I can't replace the software. If anybody who has successfully authored a jailbreak in the past wants to take a crack at this I will send you a free KOA3 (I have a spare). Both my "daily driver" and this spare have never been connected to Wifi, so they didn't get the recent update (which I'm pretty sure closes this vuln). You need to demonstrate that you were the first to publish a jailbreak for one of the previous kindles, and publicly commit to working on this. |
11-11-2020, 11:30 PM | #2 |
BLAM!
Posts: 13,477
Karma: 26012494
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
I'm 95% sure lab126's FT build never actually shipped with PNG support, so, nope?
EDIT: Yup. Neither does Kobo, nor KOReader/Plato. Last edited by NiLuJe; 11-11-2020 at 11:57 PM. |
11-12-2020, 02:54 AM | #3 | |
Member
Posts: 10
Karma: 10
Join Date: Jul 2020
Device: Kobo Forma running KOReader
|
Quote:
This also affects any ebook reader that can load "publisher-provided" fonts. You know, like where the ebook includes its own font. I know not a lot of them do, but a lot of ebook readers support it. Freetype is one of only a tiny number of modern font rasterization libraries, and the only one that's open source. Basically everybody except Apple and Microsoft use Freetype. |
|
11-12-2020, 10:32 AM | #4 |
BLAM!
Posts: 13,477
Karma: 26012494
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Err, what does PDF (by which I assume you meant Type 1 fonts?) have to do with this?
This affects a block of code behind a giant FT_CONFIG_OPTION_USE_PNG ifdef, in a file named pngshim :? (i.e., the --with-png autoconf switch) Last edited by NiLuJe; 11-12-2020 at 01:04 PM. |
11-12-2020, 11:13 AM | #5 |
Bibliophagist
Posts: 35,401
Karma: 145435140
Join Date: Jul 2010
Location: Vancouver
Device: Kobo Sage, Forma, Clara HD, Lenovo M8 FHD, Paperwhite 4, Tolino epos
|
As I read the CVE, it has nothing to do with PDF or Type 1 fonts. To quote: "specially crafted TTF file with PNG sbit glyphs". There are sample TTF files floating around the dark edges of the Internet that will trigger this issue. Whether a Amazon ereader is vulnerable is a good question since libfreetype.so.whatever is included in the installed code.
|
11-12-2020, 11:14 AM | #6 |
BLAM!
Posts: 13,477
Karma: 26012494
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Yup, and it's indeed not linked against libpng, at all, which was my original point (i.e., that this whole discussion is moot) ^^.
Last edited by NiLuJe; 11-12-2020 at 01:01 PM. |
Tags |
jailbreak, koa3 |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hacks Kindle (3) Keyboard : Upgrade and Jailbreak or Jailbreak and Upgrade?? | prado | Amazon Kindle | 3 | 06-11-2021 10:13 PM |
Amazon Kindle, firmware 5.6.5, about jailbreak closed kindle. | Lenorav | Kindle Developer's Corner | 6 | 04-26-2016 04:39 PM |
Jailbreak going from Kindle DX original to Kindle DX Graphite Int. | sleeplessdave | Kindle Developer's Corner | 23 | 12-11-2011 07:40 PM |
Exploit-CVE-2010-2738 in Ermine updates? | DoghouseReilley | enTourage eDGe | 11 | 07-26-2011 04:09 PM |
kindle dxg with fw 2.5.8 install kindle-jailbreak-0.6.N failed | icress | Amazon Kindle | 1 | 03-31-2011 02:20 PM |