04-14-2012, 02:31 PM | #1 |
but forgot what it's like
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
|
[Kindle Touch] Scriptable browser plugin included in 5.1.0
5.1.0 has introduced NPAPI plugin /usr/lib/libkindleplugin.so (symlinked to /usrl/lib/browser/plugins/libkindleplugin.so) which is used by system-wide WebKit engine.
It is scriptable plugin, so webpage can embed it and invoke it's "exported" native methods. To embed: Code:
<embed type="application/kindle-chrome-scriptable-plugin"> So far, I've found following "exported" properties and methods:
I hope someone more proficient in understanding of disassembled ARM C++ code will share more information about plugin's methods usage. To disable plugin, just change extension of symlink in /usr/lib/browser/plugins (or remove this symlink). I believe, it will be sufficient. UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector. Last edited by eureka; 07-30-2012 at 05:49 AM. Reason: hooray, there is official update addressing possible security issue |
04-16-2012, 08:44 AM | #2 |
Groupie
Posts: 153
Karma: 113
Join Date: Jan 2012
Location: Russia
Device: Kindle Touch
|
Hmm... *imagines a web page that removes Ads using ToDo mechanism*
|
Advert | |
|
04-18-2012, 08:23 PM | #3 |
but forgot what it's like
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
|
They are working.
Code:
/** * Get Lipc property (only int or string, not hasharray). * * @param {string} publisher The unique name of the publisher of the property. * @param {string} propertyName Name of the property to get. * * @return {string|int} Property value */ function plugin.lipc.get(publisher, propertyName) { ... } Code:
/** * Set Lipc property (only int or string, not hasharray). * * @param {string} publisher The unique name of the publisher of the property. * @param {string} propertyName Name of the property to get. * @param {string|int} propertyValue Value to set. * * @return "success" */ function plugin.lipc.set(publisher, propertyName, propertyValue) { ... } Code:
/** * Write into log for wafapp process and com.lab126.browser app id. * * @param {string} subsystemName First part of log message (usually used for identifier of log writer). * @param {string} message Second part of log message (usually used for actual log message). * @param {string} severity Must be one of the: "info", "warn", "error", "debug", "perf". * * @return "success" */ function plugin.dev.log(subsystemName, message, severity) { ... } Code:
/** * Pass string to ToDo through setting of Lipc property `scheduleToDoItems`. * * @param {string} todoDocument ToDo document. * * @return "success" */ function plugin.todo.scheduleItems(todoDocument) { ... } |
04-22-2012, 02:25 PM | #4 |
hub
Posts: 715
Karma: 2151032
Join Date: Jan 2012
Location: Iranian in Canada
Device: K3G, DXG, Kobo mini
|
This looks really interesting!
I'm interested in integrating other plugins to WebKit. Do you think this is possible by putting corresponding *.so libraries in /usr/lib/browser/plugins/? |
05-27-2012, 11:03 AM | #5 |
but forgot what it's like
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
|
I found the way to execute any shell code with root privileges via setting of LIPC property:
Code:
lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'" On the other hand, it could be used in new method for easy jailbreaking through website. BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you? Anyway, I recommend to disable this plugin. Execute in SSH session: Code:
mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp UPD On 23 Jul 2012 Amazon made available update to 5.1.2 which must be applied over 5.1.0 or 5.1.1. Amongst other changes, 5.1.2 deletes NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser, thus eliminating possible remote attack vector. Last edited by eureka; 07-30-2012 at 05:50 AM. Reason: hooray, there is official update addressing possible security issue |
Advert | |
|
05-27-2012, 11:12 AM | #6 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Cool! A "remote" jailbreak tool! Thanks amazon! Now we just need to get up a youtube video, and submit it to slashdot. ... and somebody needs to IMPLEMENT the code and web page too.
Last edited by geekmaster; 05-27-2012 at 11:18 AM. |
05-27-2012, 11:21 AM | #7 |
Wizard
Posts: 1,379
Karma: 2155307
Join Date: Nov 2010
Location: Goettingen, Germany
Device: Kindle Paperwhite, Kobo Mini
|
I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...
|
05-27-2012, 11:25 AM | #8 |
(offline)
Posts: 2,907
Karma: 6736094
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
|
@eureka: Great job!
As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread. |
05-27-2012, 11:27 AM | #9 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
You did notice the wink and grin. Yes, a 3G botnet could be especially costly for amazon (especially if it used the "social network" loop-hole out to the unrestricted internet on touch 3G).
|
05-27-2012, 11:31 AM | #10 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
One "common" practice is to make the browser suid and the user id as "nobody" (with "nobody" not having any privledges of any kind). Not sure if the Kindle's have such a user already setup, but somebody with time on their hands might check this out for us. |
|
05-27-2012, 11:51 AM | #11 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.
So, I am surprised that this lipc command runs things as root. Last edited by geekmaster; 05-27-2012 at 12:14 PM. |
05-27-2012, 12:23 PM | #12 |
(offline)
Posts: 2,907
Karma: 6736094
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
|
|
05-27-2012, 12:32 PM | #13 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
But do not take my post as an indication that I confirmed the report. Some additional confirmation would be nice to see from other users. |
|
05-27-2012, 02:29 PM | #14 | |
THE NOOB
Posts: 701
Karma: 1545649
Join Date: Jan 2012
Location: Italy
Device: Kindle Touch 5.3.2
|
Quote:
Thanks a lot!! I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands). Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)... |
|
05-27-2012, 06:17 PM | #15 |
BLAM!
Posts: 13,492
Karma: 26047188
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Am I the only one that finds this somewhat funny?
Anyway, good job! |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Kindle touch browser javascript capabilities | iPocketBook | Kindle Developer's Corner | 14 | 01-03-2013 09:10 AM |
Kindle 4 (Non-Touch) Can you DELETE the browser? | nsomniac | Amazon Kindle | 3 | 03-30-2012 07:22 PM |
Kindle Touch Bypass 3G Browser Restriction? | copy1 | Amazon Kindle | 3 | 02-04-2012 02:52 PM |
eReader.com Browser Search Plugin | Zero9 | Deals and Resources (No Self-Promotion or Affiliate Links) | 0 | 07-24-2009 09:44 PM |
BooksOnBoard Browser Search Plugin | Zero9 | Deals and Resources (No Self-Promotion or Affiliate Links) | 10 | 07-24-2009 03:27 PM |