A logical bug in the Kindle application manager allows a framework user to execute code with the root user privileges.
Steps to reproduce the issue:
- The framework user has full access to
/var/tmp/frameworkdirectory, where they can create any executable file. For example, it might be a bash script file
- The framework user has read/write access to the
/var/local/appreg.dbsqlite3 database. They can fix a database entry using the
/usr/lib/libsqlite3.solibrary or by simply editing the file.
- The attacker can correct the entry
"com.lab126.browser|command|/usr/bin/mesquite -l com.lab126.browser -c file:///var/local/mesquite/browser/ -j"in the properties table.
- The value field can be set to
- The framework user can ask the
appmgrddaemon to launch the browser app. This can be done using
/usr/lib/liblipc.solibrary or using the shell command
lipc-set-prop com.lab126.appmgrd start app://com.lab126.browser
appmgrdwill read the fixed entry from
/var/local/appreg.dband execute the command specified in the value field.
attack.shwill be launched.
appmgrddaemon now has root rights.