For a successful attack on a Kindle, just one book with malicious code is enough.

The potential attack began by sending a malicious e-book to the user’s mail. After receiving such an attachment, the victim only had to open it, and this launched the exploit. No additional user permission or action was required.

Even worse, the discovered vulnerabilities allowed attackers to target a specific category of users. For example, to hack a specific group of people or demographic group, a hacker simply had to inject malicious code into a popular e-book in the corresponding language or dialect. As a result, attacks became highly targeted.

The root of the problem lay in the structure of the parsing framework, namely the implementation associated with PDF documents. The attacks were possible thanks to a heap overflow associated with the PDF rendering feature (CVE-2021-30354), which allowed arbitrary write permissions on the device, and a local privilege escalation vulnerability in the Kindle App Manager service (CVE-2021-30355), which allowed combine two vulnerabilities into a chain to run malicious code with root privileges.

The researchers reported their findings to Amazon in February 2021, and already the April update of the Kindle firmware to version 5.13.5 contained a patch (the firmware is automatically installed on devices connected to the network).

Let me remind you that Researcher Found Three Bugs Allowing Hacking Amazon Kindle also this February.

The post Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device appeared first on Gridinsoft Blog.

For discovery of these vulnerabilities the expert received $18,000 under the bug bounty program.

Let me remind you that I also talked about IS researcher earned more than $2000000 on HackerOne.

The first vulnerability in the KindleDrip exploit chain is related to the Send in Kindle feature, which allows users to send e-books in MOBI format to their device via email (Amazon creates a special mailbox at @ kindle.com for this).

Code execution became possible with a second library vulnerability that Kindle devices use to parse JPEG XR images. Exploiting the bug required the user to simply click on a link inside a book containing a malicious JPEG XR image, which would open a browser and run the attacker’s code with limited privileges.

Since even this was not enough for Bar-On, he found a third problem, which allowed him to escalate privileges and execute code with root rights, gaining full control over the target device.

It should be noted that the hacker could not gain access to the actual card numbers or passwords, since these types of data are not stored on the device. Instead, the attacker could obtain special tokens and use them to access the victim’s account.

All a hacker needs for such an attack is to know the email address of the future victim (often @ kindle.com is the same as the user’s regular email address) and convince him to click on the link inside the malicious e-book. Although the Send to Kindle feature allows sending books to the devices only from pre-approved addresses, the researcher writes that an attacker could simply use spoofing to do so.

A demonstration of the attack can be seen below:

Currently, these vulnerabilities have already been fixed. So, problems with code execution and privilege escalation were eliminated in December 2020 with the release of version 5.13.4. In addition, Amazon now sends verification links to email addresses that cannot be authenticated, and adds some characters to @kinle.com addresses to make them harder to guess.

The post Researcher Found Three Bugs Allowing Hacking Amazon Kindle appeared first on Gridinsoft Blog.