"Amazon Kindle RCE Attack Starts with an Email"
A researcher at Realmode Labs found three vulnerabilities in the Amazon Kindle e-reader. The first vulnerability found could allow an adversary to send an e-book to the victim's Kindle device. The second vulnerability found would allow an adversary to run arbitrary code while the e-book is parse, under the context of a weak user. The third vulnerability would allow the attacker to escalate privileges and run code as root. The discovery of these vulnerabilities earned the researcher $18,000 from the Amazon bug-bounty program. The researcher also found that it was possible to email malicious e-books to the devices via the "Send to Kindle" feature to start a chain of attack. He is calling this attack "KindleDrip". The first step in a KindleDrip attack is to send a malicious e-book to a target. The file is sent as an attachment and automatically shows up in the user's library. The victim does not receive an alert that something new has been installed in the bookshelf. When the victim enters the innocent-looking book and touches one of the links in the table of contents, the link opens the built-in browser with an HTML page that contains a malicious JPEG XR image. The image is parsed, and malicious code now runs as root. The payload changes the boot background and restarts the device. Then, the attacker receives private credentials from the device and can log into the victim's account. To make the attack work, an attacker would first need to know the email address assigned to the victim's device.
Threatpost reports: "Amazon Kindle RCE Attack Starts with an Email"