Calibre Web and Autocaliweb OS Command Injection Vulnerability

A blind OS command injection vulnerability has been identified in Calibre Web version 0.6.24 (Nicolette) and Autocaliweb versions 0.7.0 prior to 0.7.1. This vulnerability allows authenticated admin users to execute arbitrary binary files on the server by submitting absolute paths through a vulnerable endpoint. The executed binaries run without parameters, limiting the ability to control their behavior, but can still be exploited to execute commands that affect system operations or integrity.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with the privileges of the application user, potentially leading to unauthorized access, data manipulation, or disruption of services.

Reproduction

To reproduce this vulnerability, log into an affected Calibre Web or Autocaliweb instance as an admin user. Navigate to the '/admin/ajaxconfig' endpoint and use a POST request to submit a payload that includes an absolute path to a binary executable in the 'config_rarfile_location' setting. The 'check_unrar()' function will validate the path's existence but not its contents. Once the path is accepted, the binary will be executed via the 'process_wait()' function, allowing the execution of commands such as rebooting the system or opening an interactive shell, depending on the binary used.

Remediation

Users of Autocaliweb should update to version 0.7.1, which addresses this vulnerability. For Calibre Web, no patch is currently available.