TLDR;
- Shodan can be used to find Calibre servers.
- I wrote an nmap script for identification and metadata analysis
- 2.5 million titles are available on identified servers
- An average of 10k~ titles per server
- If you use the Calibre web server, verify the authentication and it's network connectivity.
- The Calibre developers don't have the best history of dealing with security issues.
I love reading, and I especially like my e-readers. They allow you to carry and travel with hundreds of books. Calibre is an open source e-book management application, and probably one of the most popular. It's capable of running a server to allow remote users to browse and download books. Knowing this and being a pentester by trade, I became quite curious if there was any notable presence of Calibre on the internet. In it's default configuration, Calibre does not require any authentication to access the web interface. Using Shodan.io, we can search for the keyword Calibre in the server HTTP header.
Using the export function, we can gather a large number of possible Calibre web servers quickly. Depending on the version of Calibre, it's possible to extract the entire manifest of all the books. This includes the title, author, genre, etc. For the older version, it's possible to scrape the mobile interface using regex for the total number of books.
To help expedite the process of identifying Calibre web servers, I wrote a simple nmap script to help identify:
- Version
- If authentication is required
- Number of books
I created a pull request to have it integrated in future releases of nmap pending approval.
Using my script, I enumerated roughly 2,500,000 titles on unauthenticated Calibre servers.
Of the original 1,800 or so servers from Shodan, we were able to download the manifest file from 225 Calibre servers. Note this doesn't include unauthenticated servers which don't offer the manifest file. I didn't write a crawler to parse individual titles and requesting potentially 100s of pages from a single host.
From the 225 Calibre servers, I was able to identify about 10,000 unique titles. Some interesting observations:
- Ironically, there's a number of "cybersecurity" titles.
- I tried searching through the titles for sensitive documents such as "receipt" or "invoice" or "tax". Nothing.
- Unsurprisingly given world demographics, a large number of titles are not English. This might have hamstringed my manual analysis.
What next?
This is just a jumping off point that came from a lazy weekend morning, some interesting takeaways and ideas to for next steps
- Build an actual script to harvest all 2.5 million books.
- PDFs, EPUBs, and MOBIs can contain metadata. It may be possible to disclose sensitive information.
- There are some poorly documented API endpoints available via /cdb/ (unauth'd /cdb/cmd anyone?) which can be used to programmatically interface. If I was to to review Calibre more closely, I would start here.
Interesting. Your lazy morning amazed me
ReplyDeleteI set up a Calibre server 35 minutes ago. 5 minutes later people started knocking on the door of my server. Thank god for Little Snitch. And no thanks to you. [Except that it may actually improve Kovid Goyal's security, so thanks for that :-D )
ReplyDeletethanks for your lazy morning
ReplyDeletei use library genesis for books and internet-hacks.com to find better study resources
Delete
ReplyDeleteAmazing blog! I really like the way you explained such information about this post with us. And blog is really helpful for us this website
calibre-crack-serial-key-torrent
ausmalbilder für kinder
ReplyDeleteVery good article! We will be linking to this particularly great post on our website. Keep up the good writing.
ReplyDeleteLittle Snitch Crack
WavePad Sound Editor Crack
iExplorer Crack
FxSound Enhancer Crack
SolidWorks Crack
Reimage PC Repair Crack
DriverDoc Crack
Casinos that Accept Poker for Real Money
ReplyDeleteCasino Sites That Accept 카지노사이트 Poker for Real Money · 1. Wild Casino PA · 2. Ignition Casino PA · 3. BetMGM 카지노사이트 Casino · 4. Caesars Casino PA · 5. SuperSlots