Amazon has addressed a number of flaws in its Kindle e-reader platform that could have authorized an attacker to consider manage of victims’ gadgets by merely sending them a malicious e-e book.
Dubbed “KindleDrip,” the exploit chain will take gain of a function termed “Send out to Kindle” to mail a malware-laced doc to a Kindle machine that, when opened, could be leveraged to remotely execute arbitrary code on the machine and make unauthorized buys.
“The code runs as root, and the attacker only requirements to know the email tackle assigned to the victim’s gadget,” stated Yogev Bar-On, a security researcher for Readlmode Labs, in a complex write-up on Thursday.
The very first vulnerability allows a negative actor ship an e-book to a Kindle, the second flaw makes it possible for for remote code execution even though the e-e book is parsed, and a third concern tends to make it feasible to escalate privileges and operate the code as the “root” user.
When joined collectively, these weaknesses could be abused to swipe system qualifications and make purchases on e-publications sold by the attackers by themselves on the Kindle keep working with the target’s credit history card.
Amazon fastened the flaws on December 10, 2020, for all Kindle styles unveiled just after 2014 following Bar-On’s dependable disclosure on October 17. He was also awarded $18,000 as portion of the Amazon Vulnerability Investigation System.
Sending a Malicious e-book from a Spoofed Address
An important factor of the Deliver to Kindle function is that it only will work when a doc is sent as an attachment to a “kindle.com” e mail deal with ([name]@kindle.com) from electronic mail accounts that have been earlier included to an “Accepted Particular Doc E-mail Record.”
Or that is how it preferably really should. What Bar-On as an alternative discovered was that Amazon not only did not confirm the authenticity of the e mail sender, an e-e book that was despatched from an authorized-but-spoofed deal with instantly appeared on the library with no sign that it was acquired from an e-mail concept.
But pulling this off correctly necessitates expertise of the place Kindle electronic mail handle, a exclusive “[name]@kindle.com” deal with which is assigned to each Kindle device or app on registration. While, in some cases, the title is suffixed by a random string, Bar-On argues that the entropy on most of the addresses is minimal more than enough to be trivially guessed applying a brute-pressure strategy.
Even so, when the e-e-book is despatched to a sufferer machine, the attack moves to the up coming stage. It exploits a buffer overflow flaw in the JPEG XR impression format library as nicely as a privilege escalation bug in 1 of the root processes (“stackdumpd”) to inject arbitrary commands and run the code as root.
As a result when an unsuspecting user opens the e-book and faucets on a single of the hyperlinks in the desk of contents, the Kindle would open an HTML web page in the browser that contained a specially-crafted JPEG XR impression and parse the image file to run the attack code — therefore letting the adversary to steal the user’s qualifications, take handle in excess of the machine, and almost obtain private info related with the target.
Amazon has now remediated the protection holes by sending customers a verification url to a pre-permitted handle in eventualities wherever a doc is sent from an unrecognized electronic mail deal with.
Computer software updates on Kindle gadgets are by default downloaded and put in when connected wirelessly. Consumers can head to Configurations → Menu → Gadget Info to check out if their firmware is up-to-day, and if not, manually download and put in the 5.13.4 update to mitigate the flaws.