Amazon has addressed quite a lot of flaws in its Kindle e-reader platform that would have allowed an attacker to take management of victims’ units by merely sending them a malicious e-book.
Dubbed “KindleDrip,” the exploit chain takes benefit of a characteristic known as “Send to Kindle” to ship a malware-laced doc to a Kindle machine that, when opened, might be leveraged to remotely execute arbitrary code on the machine and make unauthorized purchases.
“The code runs as root, and the attacker solely must know the e-mail tackle assigned to the sufferer’s machine,” said Yogev Bar-On, a safety researcher for Readlmode Labs, in a technical write-up on Thursday.
The primary vulnerability lets a nasty actor ship an e-book to a Kindle, the second flaw permits for distant code execution whereas the e-book is parsed, and a 3rd situation makes it potential to escalate privileges and run the code because the “root” person.
When linked collectively, these weaknesses might be abused to swipe machine credentials and make purchases on e-books bought by the attackers themselves on the Kindle retailer utilizing the goal’s bank card.
Amazon fixed the failings on December 10, 2020, for all Kindle fashions launched after 2014 following Bar-On’s accountable disclosure on October 17. He was additionally awarded $18,000 as a part of the Amazon Vulnerability Analysis Program.
Sending a Malicious e-book from a Spoofed Tackle
An vital facet of the Ship to Kindle characteristic is that it solely works when a doc is distributed as an attachment to a “kindle.com” electronic mail tackle ([name]@kindle.com) from electronic mail accounts which have been beforehand added to an “Approved Personal Document E-mail List.”
Or that is the way it ideally ought to. What Bar-On as an alternative discovered was that Amazon not solely didn’t confirm the authenticity of the e-mail sender, an e-book that was despatched from an approved-but-spoofed tackle mechanically appeared on the library with no indication that it was obtained from an electronic mail message.
However pulling this off efficiently requires information of the vacation spot Kindle electronic mail tackle, a novel “[name]@kindle.com” tackle that is assigned to every Kindle machine or app upon registration. Though, in some instances, the title is suffixed by a random string, Bar-On argues that the entropy on a lot of the addresses is low sufficient to be trivially guessed utilizing a brute-force strategy.
Nonetheless, as soon as the e-book is distributed to a sufferer machine, the assault strikes to the subsequent stage. It exploits a buffer overflow flaw within the JPEG XR picture format library in addition to a privilege escalation bug in one of many root processes (“stackdumpd”) to inject arbitrary instructions and run the code as root.
Thus when an unsuspecting person opens the e-book and faucets on one of many hyperlinks within the desk of contents, the Kindle would open an HTML web page within the browser that contained a specially-crafted JPEG XR picture and parse the picture file to run the assault code — thereby permitting the adversary to steal the person’s credentials, take management over the machine, and nearly entry private data related to the sufferer.
Amazon has now remediated the safety holes by sending customers a verification hyperlink to a pre-approved tackle in situations the place a doc is distributed from an unrecognized electronic mail tackle.
Software program updates on Kindle units are by default downloaded and put in when linked wirelessly. Customers can head to Settings → Menu → Gadget Information to verify if their firmware is up-to-date, and if not, manually obtain and set up the 5.13.4 replace to mitigate the failings.