Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root – paving the way for siphoning money from unsuspecting users.
Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the “Send to Kindle” feature to start a chain of attack – a discovery that earned him $18,000 from the Amazon bug-bounty program.
“The first vulnerability allowed an attacker to send an e-book to the victim’s Kindle device,” he explained in a Thursday posting. “Then, the second vulnerability was used to run arbitrary code while the e-book is parsed, under the context of a weak user. The third vulnerability allows the attacker to escalate privileges and run code as root.”
To make the attack work (which the researcher calls KindleDrip), an attacker would first need to know the email address assigned to the victim’s device. There’s also a predefined list of approved emails that any e-books would need to be sent from. According to Bar-On, neither requirement is much of a hurdle.
The special destination email address assigned by Amazon is typically just the user’s regular email under the kindle.com domain (e.g. firstname.lastname@example.org becomes email@example.com), which “can be brute forced,” he explained.
And as for the list of approved addresses, spoofing can easily get around this. “Email authentication is still not as widespread as you may think,” he wrote. “Since many email servers still don’t support authentication, it is not unreasonable to assume that Amazon will not verify the authenticity of the sender.” And indeed, he was able to spoof an email message to send an e-book to his own device.
The KindleDrip Attack
With the emails sorted, the first step in a KindleDrip attack is to send a malicious e-book to a target. The file is sent as an attachment and automatically shows up in a user’s library. However, the victim doesn’t receive an alert that something new has been installed in the bookshelf.
“To make matters worse, there is no indication that the e-book was received from an email message,” said Bar-On. “It also appeared on the home page of the Kindle with a cover image of our choice, which makes phishing attacks much easier.”
Then, the victim enters the innocent-looking book and touches one of the links in the table of contents. The link opens the built-in browser with an HTML page that contains a malicious JPEG XR image.
The image is parsed, and malicious code now runs as root. The payload changes the boot background and restarts the device. Then, the attacker receives private credentials from the device and can log into the victim’s account.
To booby-trap the e-book with malicious code, the researcher found that the Kindle web browser supports the use of an obscure image format called JPEG XR. Conveniently, the Kindle itself has a firmware library called libjpegXR.so, which parses JPEG XR.
He found that it was possible to trigger a buffer overflow while parsing JPEG XR with the Kindle, with controlled bytes from an JPEG XR image file.
Immediately following the overflowed buffer, there is a pointer struct jxr_tile_qp *tile_quant. Bar-On found that using the overflow, the pointer could be overridden to be able to write data to an attacker-controlled address – what’s known as an absolute-write primitive.
“Using the absolute-write primitive, a shellcode could be written to the executable section,” he explained. “Then, the primitive could be used again to ‘spray’ the Global Offset Table (GOT) with the address of the shellcode. The mesquite process is multi-threaded, so one of the other threads would inevitably call a function from the GOT, causing the shellcode to execute.”
With code executed, the third step in the attack is privilege escalation.
“The mesquite process is run under chroot with a weak user called framework,” he wrote. “So the previous vulnerability couldn’t be used to even reboot the device. Privilege escalation was needed.”
In looking for root processes that listen on a local socket, he uncovered something called stackdumpd.
“This process is responsible for generating stack dumps of crashed processes,” he said. “It receives information like the crashed process id and thread id, and passes it to /usr/bin/dump-stack. This is a shell script that connects to the crashed process with GDB…and like the name suggests, dumps the stack.”
GDB is a remote debugger. He found that it can run arbitrary commands given in the command argument, and thus could be used to run arbitrary code as root. There are two security checks before one is able to do so, which can be bypassed with a “simple string,” he explained. “Thus, we had a vulnerability that allowed us to execute arbitrary code under the context of the root user.”
The three issues chained together allows root RCE on a vulnerable Kindle, as shown in a proof-of-concept video:
Armed with this attack, a threat actor can snoop on users’ web sessions, steal credentials – or, more worryingly, can steal money from the victim. To siphon cash, the attacker could publish an e-book and then log into the victim’s account, using their stored credit card to buy it.
The attack works on Kindles with firmware version 5.13.2 or below; Amazon fixed KindleDrip in the latest update, firmware version 5.13.4.
“Using three different vulnerabilities, I managed to execute arbitrary code on the Amazon Kindle as the root user, given only the email address assigned to the device,” said Bar-On. “This could have allowed an attacker to access device credentials and make purchases on the Kindle store. This could also have been used to jailbreak the newest Kindle devices. Amazon took the report seriously and fixed the issues in a reasonable time.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!