Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Calibre's CHM (Compiled HTML Help) reader component prior to version 9.2.0. It is a path traversal flaw that allows an attacker to write arbitrary files anywhere the user has write permissions by exploiting improper sanitization of file paths during CHM file extraction."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability arises because the software does not properly neutralize directory traversal sequences like '..' in file paths extracted from CHM files. This allows files to be written outside the intended extraction directory."}, {'type': 'paragraph', 'content': 'On Windows systems, this can be exploited to write malicious files to sensitive locations such as the Startup folder, which leads to remote code execution when the user logs in next time.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have severe impacts including unauthorized file writes and remote code execution on affected systems.

• An attacker can craft a malicious CHM file that, when opened in a vulnerable version of Calibre, writes arbitrary files anywhere the user has write permissions.
• On Windows, this includes writing a malicious batch file to the Startup folder, which executes automatically on the next user login, allowing the attacker to run arbitrary code remotely.
• This compromises the confidentiality, integrity, and availability of the system, potentially leading to full system compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if Calibre versions prior to 9.2.0 are installed and by monitoring for suspicious file writes outside the intended extraction directory, especially writes to the Windows Startup folder.'}, {'type': 'paragraph', 'content': 'On Windows systems, you can look for unexpected files such as batch scripts (e.g., rce.bat) in the Startup folder that could indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation include:'}, {'type': 'list_item', 'content': 'Check Calibre version installed: `calibre --version` or check the application version in its About menu.'}, {'type': 'list_item', 'content': 'Search for suspicious files in the Startup folder: `dir "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"`'}, {'type': 'list_item', 'content': 'Monitor recent file creation events in the Startup folder using PowerShell: `Get-ChildItem "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }`'}, {'type': 'list_item', 'content': 'Check for presence of malicious CHM files or unusual CHM extraction activity in Calibre logs if available.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Calibre to version 9.2.0 or later, where this path traversal vulnerability has been fixed.

Until the upgrade is applied, avoid opening untrusted or suspicious CHM files in Calibre, especially on Windows systems.

Additionally, monitor and remove any unauthorized files in the Windows Startup folder that could lead to remote code execution.

Implement user awareness to prevent opening malicious CHM files and consider restricting write permissions to sensitive directories like the Startup folder.

Useful 0 Not Useful 0