Mobileread
Spitballing on future JBs
#1  inexplicable_ham 08-15-2022, 05:01 AM
Hi all, long time listener, first time caller. I read the writeup on KindleDrip and KindleBreak which exploited a couple vulnerabilities to get root access on kindles that facilitated their jailbreaks.

I dunno if this is a dumb question, but is it possible that >=5.14.3 firmwares are running vulnerable versions of the linux kernel where there are known privilege escalation exploits?

I'm on my phone right now so I only did a little poking around in the termux app, but I downloaded Kindle_src_5.14.3.0.1_3838590001.tar.gz from the GPL release page, and it appears to include linux kernel version 4.9.77, which is a pretty old release. There are a few big exploits that could get us root access if they haven't been patched.

Maybe I'm just being dumb and the GPL releases aren't all that close to the linux kernel that's actually included in the Kindle firmware, but this seems like a really nice community so I thought I'd ask!
Reply 

#2  NiLuJe 08-15-2022, 02:09 PM
The main issue is getting code execution, privilege escalation is (usually) far "easier" (once upon a time because what flaws we found were already in stuff running as a privileged user ;p).
Reply 

#3  Mike Li 08-15-2022, 07:40 PM
My system version is 5.14.3.0.1. how can I BJ? I seemed hopeless for a while....
Reply 

#4  inexplicable_ham 08-16-2022, 01:40 AM
Quote NiLuJe
The main issue is getting code execution, privilege escalation is (usually) far "easier" (once upon a time because what flaws we found were already in stuff running as a privileged user ;p).
I see, in which case I can dig around for code execution! Do you have any tips? I figure since the kernel is from 2018, it's likely there's going to be a library or dependency somewhere that's old enough to be vulnerable to something for which POCs already exist. Have people already gone through metasploit and exploitdb for these?

I'm going to look for stuff related to file formats, the browser, bluetooth, and email as a first pass. If there's nothing obvious then I'll have to walk all the way over to my laptop and probe for running services...

I'm not an experienced hacker and I just like making my devices work on my terms rather than someone else's, so I don't know how far I'll get. Hopefully I'm not embarrassing myself in my naivete!
Reply 

#5  inexplicable_ham 08-17-2022, 06:24 PM
WebKit seems like a good target. Maybe someone will have a POC or write-up sometime this week.
https://www.macworld.com/article/833211/macos-monterey-12-5-1-security-updates.html

If not, I think there are still older webkit RCEs and other parts of gtk like cairo that may work.
Reply 

#6  JSWolf 08-17-2022, 07:40 PM
Quote Mike Li
My system version is 5.14.3.0.1. how can I BJ? I seemed hopeless for a while....
Trust me when I say this...

You do not want to BJ your Kindle. Not now and not ever.
Reply 

Today's Posts | Search this Thread | Login | Register