Security experts at Realmode Labs discovered multiple vulnerabilities in the Kindle e-reader that could have allowed an attacker to take over victims’ devices.
The researchers noticed that the “Send to Kindle” feature allows Kindle users to send e-books to their devices as email attachments, a behavior that could be potentially exploited for malicious purposes, for example sending a malicious e-book to potential victims.
Amazon has addressed a number of flaws in its Kindle e-reader platform that could have allowed an attacker to take control of victims’ devices by simply sending them a malicious e-book.
The experts discovered three vulnerabilities that could be chained (KindleDrip exploit) by a remote attacker to execute code as root on the target’s Kindle. The attacker only needs to know the email address associated with the device of the victim.
“The first vulnerability allowed an attacker to send an e-book to the victim’s Kindle device. Then, the second vulnerability was used to run arbitrary code while the e-book is parsed, under the context of a weak user. The third vulnerability allows the attacker to escalate privileges and run code as root.” reads the post published by the experts.
Chaining the issues the attackers can obtain the device credentials, make purchases on the Kindle store using the victim’s credit card, or sell an e-book on the store and transfer money to their account.
Realmode Labs reported the flaws to Amazon on October 17 and the company released security updates to address them on December 10, 2020.
The Send to Kindle feature allows the Kindle user to send MOBI e-books to their device. Amazon generates for each user a special kindle.com email address that could be used to implement the “Send to Kindle” feature. Users can share the book with their device by sending it as an attachment to this email address from a predefined list of approved emails.
The experts discovered that Amazon did not verify the authenticity of the email sender, this means that attackers can spoof an email address that is present in the list of approved addresses.
“Since many email servers still don’t support authentication, it is not unreasonable to assume that Amazon will not verify the authenticity of the sender.” continues the post.
“To test this, I used an email spoofing service to spoof an email message and send an e-book to my device. To my pleasant surprise, the e-book appeared on the device! To make matters worse, there is no indication that the e-book was received from an email message. It also appeared on the home page of the Kindle with a cover image of our choice, which makes phishing attacks much easier.”
Once the e-book is sent to a target device, the attacker could have exploited a buffer overflow flaw in the JPEG XR image format library as well as a privilege escalation issue in the “stackdumpd” root process to inject arbitrary commands and run the code as root.
Upon opening the e-book and tapping on one of the links in the table of contents, the device will open an HTML page in the browser that contained a specially-crafted JPEG XR image. Once the image is parsed, the malicious code is executed allowing the attacker to carry out multiple malicious activities.
Experts also published a video PoC of the KindleDRIP exploit chain on a new Kindle 10 running firmware version 5.13.2..
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, KindleDRIP)