Amazon has addressed a number of flaws in its Kindle e-reader platform that could have allowed an attacker to take control of victims' devices by simply sending them a malicious e-book.
Dubbed "KindleDrip," the exploit chain takes advantage of a feature called "Send to Kindle" to send a malware-laced document to a Kindle device that, when opened, could be leveraged to remotely execute arbitrary code on the device and make unauthorized purchases.
"The code runs as root, and the attacker only needs to know the email address assigned to the victim's device," said Yogev Bar-On, a security researcher for Readlmode Labs, in a technical write-up on Thursday.
The first vulnerability lets a bad actor send an e-book to a Kindle, the second flaw allows for remote code execution while the e-book is parsed, and a third issue makes it possible to escalate privileges and run the code as the "root" user.
When linked together, these weaknesses could be abused to swipe device credentials and make purchases on e-books sold by the attackers themselves on the Kindle store using the target's credit card.
Amazon fixed the flaws on December 10, 2020, for all Kindle models released after 2014 following Bar-On's responsible disclosure on October 17. He was also awarded $18,000 as part of the Amazon Vulnerability Research Program.
Sending a Malicious e-book from a Spoofed Address
An important aspect of the Send to Kindle feature is that it only works when a document is sent as an attachment to a "kindle.com" email address ([name]@kindle.com) from email accounts that have been previously added to an "Approved Personal Document E-mail List."
Or that's how it ideally should. What Bar-On instead found was that Amazon not only did not verify the authenticity of the email sender, an e-book that was sent from an approved-but-spoofed address automatically appeared on the library with no indication that it was received from an email message.
But pulling this off successfully requires knowledge of the destination Kindle email address, a unique "[name]@kindle.com" address that's assigned to each Kindle device or app upon registration. Although, in some cases, the name is suffixed by a random string, Bar-On argues that the entropy on most of the addresses is low enough to be trivially guessed using a brute-force approach.
However, once the e-book is sent to a victim device, the attack moves to the next stage. It exploits a buffer overflow flaw in the JPEG XR image format library as well as a privilege escalation bug in one of the root processes ("stackdumpd") to inject arbitrary commands and run the code as root.
Thus when an unsuspecting user opens the e-book and taps on one of the links in the table of contents, the Kindle would open an HTML page in the browser that contained a specially-crafted JPEG XR image and parse the image file to run the attack code — thereby allowing the adversary to steal the user's credentials, take control over the device, and virtually access personal information associated with the victim.
Amazon has now remediated the security holes by sending users a verification link to a pre-approved address in scenarios where a document is sent from an unrecognized email address.
Software updates on Kindle devices are by default downloaded and installed when connected wirelessly. Users can head to Settings → Menu → Device Info to check if their firmware is up-to-date, and if not, manually download and install the 5.13.4 update to mitigate the flaws.