|
|
Thread Tools | Search this Thread |
01-21-2021, 06:09 AM | #1 |
Junior Member
Posts: 1
Karma: 10
Join Date: Dec 2020
Device: kindle
|
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card
A kindle RCE was published:
https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08 The issue was fixed in firmware 5.13.4. |
01-21-2021, 11:15 AM | #2 |
Junior Member
Posts: 7
Karma: 180
Join Date: Sep 2019
Device: PW3
|
KindleDrip
I just stumbled upon KindleDrip and have not seen it on the forum yet:
https://medium.com/realmodelabs/kind...d-bb93dbfb2a08 It's a very interesting read. Basically they describe how to execute code on a kindle by sending a manually crafted .mobi file via email. For this they use multiple vulnerabilities/exploits on a PW3 with firmware 5.13.2. Apart from the email part, they also describe in detail how they achieved code exection as root. I'm no expert in Kindle firmware hacking, but I was wondering if the code execution could be used to jailbreak devices with somewhat more recent firmwares? Afaik for the PW3 you have to jailbreak before firmware 5.9.6.1 (which is ancient) or use the serial port. So maybe this would be an option for a software jailbreak for people on firmwares <= 5.13.2? |
Advert | |
|
01-21-2021, 11:58 AM | #3 |
BLAM!
Posts: 13,494
Karma: 26047188
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
(Merged the two threads in chronological order ).
|
01-21-2021, 05:04 PM | #4 |
Goodest E-Reader
Posts: 62
Karma: 300094
Join Date: Jul 2007
Device: PRS 500 / Kindle 5th / Kindle PW4
|
Super interesting read. It does seem to me that older than the latest firmwares should all be vulnerable to the JPEG XR exploit. You wouldn't need the whole email to kindle path, just a special mobi file to side load and then once it has elevated privileges, install the certificate key of the jailbreak.
I am a mere javascript programmer, but posts like these always make me want to jump into other things. The creativity of the hacks like from the article and the hacks from the mobileread users are something I really admire. Is someone reaching out to the author on getting access to the ̶s̶p̶e̶c̶i̶a̶l̶ ̶m̶o̶b̶i̶ ̶f̶i̶l̶e̶?̶ special JPEG? Last edited by melksnor; 01-21-2021 at 06:12 PM. |
01-21-2021, 05:38 PM | #5 | |
Guru
Posts: 844
Karma: 2525050
Join Date: Jun 2010
Device: K3W, PW4
|
Quote:
Dave |
|
Advert | |
|
01-21-2021, 06:07 PM | #6 |
Goodest E-Reader
Posts: 62
Karma: 300094
Join Date: Jul 2007
Device: PRS 500 / Kindle 5th / Kindle PW4
|
Yeah, I was trying to look at the video to see if I could pick up the url it navigates to. I think I can make out aaaaaa.html, but no domain unfortunately.
|
01-22-2021, 05:47 AM | #7 |
abibliophobic
Posts: 220
Karma: 219708
Join Date: Aug 2012
Device: KV jailbroken
|
Just found this as well and it's given me hope for my Voyage and getting the screensavers hack back onto it after I stupidly enabled WiFi on my device and it updated to 5.13.1.
|
01-22-2021, 02:55 PM | #8 |
Warm Lighting Enthusiast
Posts: 91
Karma: 754136
Join Date: Dec 2020
Device: Kindle Oasis 3 (jailbroken)
|
This looks promising, maybe finally a way to jailbreak KOA3?!
I hope somebody'll be able to make make some kind of an ultimate jailbreak ebook / image! I wish I could experiment trying to jailbreak my 5.12.4 KOA3 using this method, but I'd have to turn on wifi to receive the emails. Unless there is a way to disable updates without a jailbreak, (which i'm not aware of) I'm too scared to risk it. Last edited by tryol; 01-22-2021 at 02:58 PM. |
01-22-2021, 03:02 PM | #9 |
Wizard
Posts: 1,230
Karma: 4738758
Join Date: Feb 2012
Location: Cape Canaveral
Device: Kindle Scribe
|
Guys, what if we try to block the amazon server website from router settings? Something like here: https://kb.netgear.com/24053/How-do-...-web-interface
So it can’t update Kindle |
01-23-2021, 12:55 AM | #10 |
Enthusiast
Posts: 31
Karma: 100000
Join Date: Apr 2017
Device: Kobo Glo HD, Kindle Voyage
|
You don't actually have to enable wifi to access an image from the browser. Instead, you can access local html via file:/// links.
Using that, I made a local sudoku game: https://www.mobileread.com/forums/sh...d.php?t=321651. |
01-23-2021, 01:08 PM | #11 | |
hopeless n00b
Posts: 5,110
Karma: 19597086
Join Date: Jan 2009
Location: in the middle of nowhere
Device: PW4, PW3, Libra H2O, iPad 10.5, iPad 11, iPad 12.9
|
Quote:
I remember encountering that issue on my up-to-date non-JB Kindle while trying to access the Calibre server on LAN when the internet was down. It's quite annoying how much more pro-active the new firmware versions are about phoning home. Even skipping wifi config during initial setup is a bigger pain now. I upgraded to 5.13.4 and factory reset in order to verify PW4 diags downgrade no longer works. I had to go through several screens and choose manual setup to add a fake SSID before it eventually stopped trying to force me to connect to the internet. |
|
01-23-2021, 02:08 PM | #12 | |
Warm Lighting Enthusiast
Posts: 91
Karma: 754136
Join Date: Dec 2020
Device: Kindle Oasis 3 (jailbroken)
|
Quote:
Edit: My bad, it works. I used file:// with 2 '/'s, not 3, that's why it didn't work for me first. Last edited by tryol; 03-23-2021 at 11:01 AM. Reason: I was wrong |
|
02-03-2021, 12:34 PM | #13 |
Junior Member
Posts: 1
Karma: 10
Join Date: Feb 2021
Device: Kindle PW2
|
You might be able to block all non lan traffic to your kindle via your router. I was able to do this on my mikrotik router easily, but it'll probably be more difficult on other routers. An easier alternative would be to just unplug/disable your router's wan connection before connecting your kindle to the network. You could then run a web server on your lan then edit an existing mobi's TOC to point to that server. Heck if I'm reading the medium article correctly, I think it should be possible to trigger the exploit just by browsing to a webpage hosting a payload .jxr file. No ebook required.
|
02-12-2021, 03:42 PM | #14 |
Enthusiast
Posts: 35
Karma: 102
Join Date: Jul 2016
Device: KOA4
|
I think I have a basic grasp of what such an exploit would need, after numerous read-throughs of the Medium article.
First step would be to determine the address Code:
stackdumpd Code:
CURRENT_TID Second step is to create the tool that takes the memory address in question, alongside a shell script, and generates a JPEG XR image that uses the exploit detailed to write the script (after a bit of formatting, since according to the article, there's a number of checks this script needs to pass) to the memory address. Once the image can be generated, it can be easily hosted on e.g. GitHub. The script doesn't need to be much, all it needs to do is remount the system as RW, and inject the jailbreak certificate. Then the previously established jailbreak methods can be executed, without requiring the factory firmware (I think). However even if my logic in this part is wrong... The script has root access. It can literally do anything, including, say, downloading a script from GitHub and executing that, which in turn would download the latest jailbreak toolkit and execute it, bypassing the system updater, etc., that was used previously. Unfortunately I'm a real dummy when it comes to memory management. I've never really liked C due to its manual memory management, and have always used managed languages like Java, C#, or JavaScript. I have no idea how to determine the memory address for Code:
CURRENT_TID |
02-12-2021, 04:03 PM | #15 |
BLAM!
Posts: 13,494
Karma: 26047188
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Err, no, that is *entirely* out of my area of expertise (hello, I'm an English Lit major). e.g., the only thing that resonates with me is the tiny bit of dump-stack trickery at the end.
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Email address for Kindle | ayjay3 | Amazon Kindle | 2 | 07-05-2020 04:33 AM |
Adding a shortcut to [Send via email to my Kindle email address]? | jteodoro | Calibre | 7 | 04-30-2020 10:55 AM |
Have US address but no US issued credit card: Buy from Kindle Store? | khazaddum | Amazon Kindle | 6 | 12-23-2013 10:19 PM |
Sending to kindle email address | cagey1953 | Devices | 1 | 11-28-2012 03:11 AM |