Amazon Kindle RCE Attack Starts with an Email

  • The “KindleDrip” attack would have permitted attackers to siphon money from unsuspecting victims.

    3 vulnerabilities in the Amazon Kindle e-reader would have authorized a distant attacker to execute code and run it as root – paving the way for siphoning revenue from unsuspecting people.

    Yogev Bar-On, researcher at Realmode Labs, located that it was achievable to email malicious e-publications to the equipment through the “Send to Kindle” aspect to get started a chain of attack – a discovery that earned him $18,000 from the Amazon bug-bounty method.

    “The initially vulnerability allowed an attacker to ship an e-e-book to the victim’s Kindle product,” he described in a Thursday putting up. “Then, the next vulnerability was applied to run arbitrary code even though the e-guide is parsed, below the context of a weak person. The third vulnerability permits the attacker to escalate privileges and run code as root.”

    To make the attack do the job (which the researcher calls KindleDrip), an attacker would initially will need to know the email tackle assigned to the victim’s machine. There’s also a predefined checklist of approved emails that any e-publications would want to be despatched from. In accordance to Bar-On, neither requirement is substantially of a hurdle.

    The particular destination email handle assigned by Amazon is commonly just the user’s common email under the kindle.com area (e.g. title@gmail.com turns into identify@kindle.com), which “can be brute compelled,” he discussed.

    And as for the checklist of accredited addresses, spoofing can very easily get all-around this. “Email authentication is still not as popular as you could think,” he wrote. “Since several email servers however do not assistance authentication, it is not unreasonable to assume that Amazon will not validate the authenticity of the sender.” And certainly, he was ready to spoof an email concept to ship an e-book to his very own unit.

    The KindleDrip Attack

    With the e-mails sorted, the 1st move in a KindleDrip attack is to ship a malicious e-guide to a focus on. The file is despatched as an attachment and automatically displays up in a user’s library. On the other hand, the target does not obtain an notify that some thing new has been mounted in the bookshelf.

    “To make issues even worse, there is no indicator that the e-guide was received from an email information,” claimed Bar-On. “It also appeared on the home site of the Kindle with a protect image of our alternative, which will make phishing assaults much less complicated.”

    Then, the sufferer enters the innocent-looking book and touches 1 of the back links in the desk of contents. The connection opens the created-in browser with an HTML site that has a destructive JPEG XR image.

    The graphic is parsed, and malicious code now operates as root. The payload changes the boot track record and restarts the system. Then, the attacker receives personal qualifications from the product and can log into the victim’s account.

    Technical Aspects

    To booby-lure the e-e-book with malicious code, the researcher uncovered that the Kindle web browser supports the use of an obscure impression format termed JPEG XR. Conveniently, the Kindle alone has a firmware library named libjpegXR.so, which parses JPEG XR.

    He observed that it was possible to result in a buffer overflow although parsing JPEG XR with the Kindle, with controlled bytes from an JPEG XR impression file.

    Quickly following the overflowed buffer, there is a pointer struct jxr_tile_qp *tile_quant. Bar-On found that using the overflow, the pointer could be overridden to be equipped to publish information to an attacker-managed deal with – what is known as an complete-create primitive.

    “Using the absolute-compose primitive, a shellcode could be composed to the executable part,” he discussed. “Then, the primitive could be applied once again to ‘spray’ the World wide Offset Table (Acquired) with the deal with of the shellcode. The mesquite process is multi-threaded, so one of the other threads would inevitably connect with a perform from the Got, creating the shellcode to execute.”

    With code executed, the third stage in the attack is privilege escalation.

    “The mesquite course of action is run below chroot with a weak user called framework,” he wrote. “So the earlier vulnerability could not be utilised to even reboot the device. Privilege escalation was wanted.”

    In hunting for root procedures that hear on a nearby socket, he uncovered something identified as stackdumpd.

    “This procedure is accountable for making stack dumps of crashed processes,” he mentioned. “It gets details like the crashed process id and thread id, and passes it to /usr/bin/dump-stack. This is a shell script that connects to the crashed system with GDB…and like the identify indicates, dumps the stack.”

    GDB is a distant debugger. He observed that it can run arbitrary commands presented in the command argument, and as a result could be used to run arbitrary code as root. There are two security checks ahead of a person is in a position to do so, which can be bypassed with a “simple string,” he discussed. “Thus, we experienced a vulnerability that allowed us to execute arbitrary code under the context of the root user.”

    The three issues chained alongside one another will allow root RCE on a susceptible Kindle, as proven in a evidence-of-notion video clip:

    Armed with this attack, a menace actor can snoop on users’ web classes, steal qualifications – or, additional worryingly, can steal income from the victim. To siphon funds, the attacker could publish an e-reserve and then log into the victim’s account, working with their saved credit card to invest in it.

    The attack will work on Kindles with firmware model 5.13.2 or beneath Amazon preset KindleDrip in the most up-to-date update, firmware variation 5.13.4.

    “Using a few various vulnerabilities, I managed to execute arbitrary code on the Amazon Kindle as the root person, supplied only the email address assigned to the product,” explained Bar-On. “This could have permitted an attacker to access gadget credentials and make buys on the Kindle retailer. This could also have been utilized to jailbreak the most recent Kindle gadgets. Amazon took the report very seriously and mounted the issues in a sensible time.”

    Download our exceptional Cost-free Threatpost Insider Book Healthcare Security Woes Balloon in a Covid-Period Environment, sponsored by ZeroNorth, to find out extra about what these security dangers mean for hospitals at the working day-to-day degree and how healthcare security teams can implement best procedures to protect providers and sufferers. Get the full tale and Down load the E-book now – on us!