KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card

[yogib]

A kindle RCE was published:
https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08

The issue was fixed in firmware 5.13.4.

[dd23]

I just stumbled upon KindleDrip and have not seen it on the forum yet:
https://medium.com/realmodelabs/kind...d-bb93dbfb2a08

It's a very interesting read. Basically they describe how to execute code on a kindle by sending a manually crafted .mobi file via email.
For this they use multiple vulnerabilities/exploits on a PW3 with firmware 5.13.2.

Apart from the email part, they also describe in detail how they achieved code exection as root.
I'm no expert in Kindle firmware hacking, but I was wondering if the code execution could be used to jailbreak devices with somewhat more recent firmwares?
Afaik for the PW3 you have to jailbreak before firmware 5.9.6.1 (which is ancient) or use the serial port. So maybe this would be an option for a software jailbreak for people on firmwares <= 5.13.2?

[NiLuJe]

(Merged the two threads in chronological order ).

[melksnor]

Super interesting read. It does seem to me that older than the latest firmwares should all be vulnerable to the JPEG XR exploit. You wouldn't need the whole email to kindle path, just a special mobi file to side load and then once it has elevated privileges, install the certificate key of the jailbreak.

I am a mere javascript programmer, but posts like these always make me want to jump into other things. The creativity of the hacks like from the article and the hacks from the mobileread users are something I really admire.

Is someone reaching out to the author on getting access to the ̶s̶p̶e̶c̶i̶a̶l̶ ̶m̶o̶b̶i̶ ̶f̶i̶l̶e̶?̶ special JPEG?

[dhdurgee]

Quote:

Originally Posted by melksnor

Super interesting read. It does seem to me that older than the latest firmwares should all be vulnerable to the JPEG XR exploit. You wouldn't need the whole email to kindle path, just a special mobi file to side load and then once it has elevated privileges, install the certificate key of the jailbreak.

I am a mere javascript programmer, but posts like these always make me want to jump into other things. The creativity of the hacks like from the article and the hacks from the mobileread users are something I really admire.

Is someone reaching out to the author on getting access to the special mobi file?

I wonder since the vulnerabiliy is exploitable via the browser if an appropriately formed JPEG XR could be hosted on a web site and simply navigating to that page with the Kindle browser could install the jailbreak for you.

Dave

[melksnor]

Quote:

Originally Posted by dhdurgee

I wonder since the vulnerabiliy is exploitable via the browser if an appropriately formed JPEG XR could be hosted on a web site and simply navigating to that page with the Kindle browser could install the jailbreak for you.

Dave

Yeah, I was trying to look at the video to see if I could pick up the url it navigates to. I think I can make out aaaaaa.html, but no domain unfortunately.

[Akirainblack]

Just found this as well and it's given me hope for my Voyage and getting the screensavers hack back onto it after I stupidly enabled WiFi on my device and it updated to 5.13.1.

[tryol]

This looks promising, maybe finally a way to jailbreak KOA3?!
I hope somebody'll be able to make make some kind of an ultimate jailbreak ebook / image!

I wish I could experiment trying to jailbreak my 5.12.4 KOA3 using this method, but I'd have to turn on wifi to receive the emails.
Unless there is a way to disable updates without a jailbreak, (which i'm not aware of) I'm too scared to risk it.

[mergen3107]

Guys, what if we try to block the amazon server website from router settings? Something like here: https://kb.netgear.com/24053/How-do-...-web-interface
So it can’t update Kindle

[tesseractcat]

You don't actually have to enable wifi to access an image from the browser. Instead, you can access local html via file:/// links.

Using that, I made a local sudoku game: https://www.mobileread.com/forums/sh...d.php?t=321651.

[ilovejedd]

Quote:

Originally Posted by tesseractcat

You don't actually have to enable wifi to access an image from the browser. Instead, you can access local html via file:/// links.

Using that, I made a local sudoku game: https://www.mobileread.com/forums/sh...d.php?t=321651.

Later firmware versions (5.12/13?) nag you to connect to internet-enabled wifi before even allowing to launch the Experimental Browser.

I remember encountering that issue on my up-to-date non-JB Kindle while trying to access the Calibre server on LAN when the internet was down. It's quite annoying how much more pro-active the new firmware versions are about phoning home.

Even skipping wifi config during initial setup is a bigger pain now. I upgraded to 5.13.4 and factory reset in order to verify PW4 diags downgrade no longer works. I had to go through several screens and choose manual setup to add a fake SSID before it eventually stopped trying to force me to connect to the internet.

[tryol]

Quote:

Originally Posted by tesseractcat

You don't actually have to enable wifi to access an image from the browser. Instead, you can access local html via file:/// links.

Using that, I made a local sudoku game: https://www.mobileread.com/forums/sh...d.php?t=321651.

Unfortunately this doesn't seem to work on 5.12.4, it requires you to use either HTTP or HTTPS protocol now.

Edit: My bad, it works. I used file:// with 2 '/'s, not 3, that's why it didn't work for me first.

[Ghost47]

Quote:

Originally Posted by tryol

Unfortunately this doesn't seem to work on 5.12.4, it requires you to use either HTTP or HTTPS protocol now.

You might be able to block all non lan traffic to your kindle via your router. I was able to do this on my mikrotik router easily, but it'll probably be more difficult on other routers. An easier alternative would be to just unplug/disable your router's wan connection before connecting your kindle to the network. You could then run a web server on your lan then edit an existing mobi's TOC to point to that server. Heck if I'm reading the medium article correctly, I think it should be possible to trigger the exploit just by browsing to a webpage hosting a payload .jxr file. No ebook required.

[fonix232]

I think I have a basic grasp of what such an exploit would need, after numerous read-throughs of the Medium article.

First step would be to determine the address

Code:

stackdumpd

receives the parameters from - specifically, the

Code:

CURRENT_TID

parameter. This will most likely be different on every firmware and every different model, though the article makes me think that it's pretty constant - otherwise the attacker would need to know the exact device and firmware of the target.

Second step is to create the tool that takes the memory address in question, alongside a shell script, and generates a JPEG XR image that uses the exploit detailed to write the script (after a bit of formatting, since according to the article, there's a number of checks this script needs to pass) to the memory address.

Once the image can be generated, it can be easily hosted on e.g. GitHub. The script doesn't need to be much, all it needs to do is remount the system as RW, and inject the jailbreak certificate. Then the previously established jailbreak methods can be executed, without requiring the factory firmware (I think). However even if my logic in this part is wrong... The script has root access. It can literally do anything, including, say, downloading a script from GitHub and executing that, which in turn would download the latest jailbreak toolkit and execute it, bypassing the system updater, etc., that was used previously.


Unfortunately I'm a real dummy when it comes to memory management. I've never really liked C due to its manual memory management, and have always used managed languages like Java, C#, or JavaScript. I have no idea how to determine the memory address for

Code:

CURRENT_TID

or how to encode the image for the exploit. There are people with much larger skillset - like NiLuJe - whose attempt would be more fruitful. I just hope that someone's working on it, and if they are, I have a PW3 WiFi model running 5.12.x that could be used for testing purposes

[NiLuJe]

Err, no, that is *entirely* out of my area of expertise (hello, I'm an English Lit major). e.g., the only thing that resonates with me is the tiny bit of dump-stack trickery at the end.