search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Amazon Kindle Touch libkindleplugin scriptable browser plugin vulnerability

Vulnerability Note VU#122656

Original Release Date: 2012-07-30 | Last Revised: 2013-04-08

Overview

Kindle Touch 5.1.0 contains a scriptable browser plugin which can be invoked by accessing a malicious web page.

Description

It has been reported that Kindle Touch 5.1.0 has introduced a NPAPI plugin /usr/lib/libkindleplugin.so (symlinked to /usrl/lib/browser/plugins/libkindleplugin.so) that can be used by the system-wide WebKit engine. libkindleplugin is scriptable by the browser and can be invoked to access its "exported" native methods when a user accesses a web page containing embedded scripts.

The user eureka has reported on the MobileRead forums that they have found multiple "exported" properties and methods associated with libkindleplugin.

    • property test (it just returns number 500)
    • method dev.log
    • method lipc.set
    • method lipc.get
    • method todo.scheduleItems
    • plugin.test
    • plugin.lipc.test
    • plugin.dev.test
    • plugin.todo.test

Impact

By convincing a user to access a specially crafted web page, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.

Solution

Update
It has been reported that Kindle Touch 5.1.2 deletes the NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser. Users are advised to upgrade to Kindle Touch 5.1.2.

Disable libkindleplugin

Users are advised to disable libkindleplugin by renaming or removing the /usr/lib/browser/plugins/libkindleplugin.so symlink.

Vendor Information

122656
 
Expand all

Amazon Affected

Notified:  July 30, 2012 Updated: August 01, 2012

Status

Affected

Vendor Statement

We have previously been made aware of this specific issue and have released updated software, version 5.1.2, containing the necessary adjustments.

Updated software for Kindle devices are available for download at http://www.amazon.com/kindlesoftwareupdates

Vendor Information

It has been reported that Kindle Touch 5.1.2 deletes the NPAPI plugin /usr/lib/libkindleplugin.so, symlink /usrl/lib/browser/plugins/libkindleplugin.so and directory /usr/lib/browser. Users are advised to upgrade to Kindle Touch 5.1.2.

Vendor References


CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:OF/RC:C
Environmental 1.8 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

http://www.mobileread.com/forums/showthread.php?s=c7953cc553a4aaa36e880b25aa1a6bf6&t=175368

Acknowledgements

Thanks to eureka on the MobileRead forums for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-4248, CVE-2012-4249
Date Public: 2012-04-04
Date First Published: 2012-07-30
Date Last Updated: 2013-04-08 23:37 UTC
Document Revision: 22

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis