silver18 THE NOOB



Posts: 701 Karma: 1545635 Join Date: Jan 2012 Location: Italy Device: Kindle Touch 5.3.2

Quote: eureka Originally Posted by Code: lipc-set-prop -s com.lab126.system sendEvent ";sh -c 'mntroot rw; echo pwned > /etc/uks/random.pem; mntroot ro'" Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.



On the other hand, it could be used in new method for easy jailbreaking through website.



BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?



Anyway, I recommend to disable this plugin. Execute in SSH session: Code: mntroot rw && mv /usr/lib/browser/plugins/libkindleplugin.so /usr/lib/browser/plugins/libkindleplugin.so.disabled && mntroot ro && killall wafapp I found the way to execute any shell code with root privileges via setting of LIPC property:So this scriptable browser plugin is really dangerous.(I repeat,) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.On the other hand, it could be used in new method for easy jailbreaking through website.BTW,, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?Anyway, I recommend to disable this plugin. Execute in SSH session:It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

Thanks a lot!!

I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).



Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)... Thanks a lot!!I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...