A logical bug in the Kindle application manager allows a framework user to execute code with the root user privileges.

Steps to reproduce the issue:

  1. The framework user has full access to /var/tmp/framework directory, where they can create any executable file. For example, it might be a bash script file
  2. The framework user has read/write access to the /var/local/appreg.db sqlite3 database. They can fix a database entry using the /usr/lib/ library or by simply editing the file.
  3. The attacker can correct the entry "com.lab126.browser|command|/usr/bin/mesquite -l com.lab126.browser -c file:///var/local/mesquite/browser/ -j" in the properties table.
  4. The value field can be set to /var/tmp/framework/ instead of /usr/bin/mesquite...
  5. The framework user can ask the appmgrd daemon to launch the browser app. This can be done using /usr/lib/ library or using the shell command lipc-set-prop com.lab126.appmgrd start app://com.lab126.browser
  6. The appmgrd will read the fixed entry from /var/local/appreg.db and execute the command specified in the value field.
  7. The will be launched.
  8. The appmgrd daemon now has root rights.