CVE-2021-30354
Information
A logical bug in the Kindle application manager allows a framework user to execute code with the root user privileges.
Steps to reproduce the issue:
- The framework user has full access to
/var/tmp/frameworkdirectory, where they can create any executable file. For example, it might be a bash script fileattack.sh - The framework user has read/write access to the
/var/local/appreg.dbsqlite3 database. They can fix a database entry using the/usr/lib/libsqlite3.solibrary or by simply editing the file. - The attacker can correct the entry
"com.lab126.browser|command|/usr/bin/mesquite -l com.lab126.browser -c file:///var/local/mesquite/browser/ -j"in the properties table. - The value field can be set to
/var/tmp/framework/attack.shinstead of/usr/bin/mesquite... - The framework user can ask the
appmgrddaemon to launch the browser app. This can be done using/usr/lib/liblipc.solibrary or using the shell commandlipc-set-prop com.lab126.appmgrd start app://com.lab126.browser - The
appmgrdwill read the fixed entry from/var/local/appreg.dband execute the command specified in the value field. - The
attack.shwill be launched. - The
appmgrddaemon now has root rights.
References:
https://research.checkpoint.com/2021/i-can-take-over-your-kindle/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30355