Vulnerabilities are like a box of chocolates, you never know which RCE you're gonna get.
Introduction
PaperCut NG/MF is a print management system that efficiently oversees and manages printing resources. The system offers user-friendly administrative and user tools that can be securely accessed from any network location through a web browser. PaperCut MF monitors and manages print, copy, fax, and scan activity on multifunctional devices (MFDs). Organizations of different sizes, including educational institutions, government agencies, and businesses across various industries, widely use the PaperCut Dashboard. The intended audience for this system includes IT managers, system administrators, network managers, and other individuals responsible for managing and monitoring printing activity, as well as associated costs within an organization.
On March 8th, 2023, updated versions of PaperCut's print management software for enterprise use were released. These updated versions contain patches designed to address two vulnerabilities that are known to the company: CVE-2023-27350 and CVE-2023-27351. According to the current PaperCut security advisory, CVE-2023-27350 is a vulnerability that could allow attackers to execute code remotely, compromising the PaperCut application server. In the same advisory, PaperCut explains that they learned about the vulnerability from the Zero Day Initiative (ZDI). The ZDI case, ZDI-CAN-18987, details the exposure as an authentication bypass that results in code execution.
This article summarises the methodology used to uncover the vulnerability, examine its root cause, analyse the associated patch, and showcase a proof-of-concept exploit.
On April 19th, 2023, PaperCut received notification of product exploitation happening in the wild. They immediately responded by publishing further details, including various indicators of compromise, such as log file entries, known malicious domains, and YARA rules that can help detect malicious activity. On April 21st, 2023, Huntress released their findings regarding this vulnerability, which included information on how it is exploitable and additional indicators of compromise.
Uncovering the Vulnerability
The flaw in question is found in the SetupCompleted class due to inadequate access control measures. This vulnerability allows an attacker to bypass authentication and execute arbitrary code within the context of SYSTEM. In other words, an attacker can exploit this vulnerability to gain unauthorized access and execute code with elevated privileges.
The SetupCompleted class that contains the vulnerability can be found within the pcng-server-web-19.2.7.jar file, located at "C:\Program Files\PaperCut NG\server\lib". One can decompile this JAR file through several methods, but we have utilized the CFR utility. This tool allows Java code to be decompiled into human-readable code that can then be analyzed using diffing tools.
To decompile the class, we ran the following command:
java -jar cfr-0.152.jar v19.2.7/web-jar/pcng-server-web-19.2.7.jar --outputdir v19.2.7/web-jar/decompiled/
Upon examining the decompiled class at "./biz/papercut/pcng/web/setup/SetupCompleted.java", we noticed that submitting the form triggers the performLogin() function for the Admin user at line 48.
You can find the performLogin() function in the Home.java file, located at:
./biz/papercut/pcng/web/pages/
The "performLogin()" function is usually called after a user has logged in and their password has been confirmed. However, in the SetupCompleted flow, the function unintentionally verifies the session of an anonymous user, making the web application vulnerable to Session Puzzling.
When comparing the SetupCompleted class in the vulnerable version 19.2.7 to the patched version 21.2.11 using Meld, it becomes apparent that if the setup has already been completed, accessing this page will redirect to the 'Home' page. This change eliminates the session's puzzling logic flaw.
To verify the authentication bypass in the graphical user interface, we navigate to the URL: "http://<IP : PORT>/app?service=page/SetupComplete" and click on the 'Login' button.
Crafting the Attack Vector
The Huntress blog highlights a technique for achieving remote code execution by exploiting the printers' "Scripting" feature. Further examination of the Device Scripting page shows that it allows administrators to create hooks for modifying printing across the organization.
The Device Scripting feature enables system administrators to customize printing functions across the enterprise by writing JavaScript code. The scripts are executed in the context of the PrintCut service, executed by the Windows deployment as "NT AUTHORITY\SYSTEM".
Creating a script to interact with the website is easy. However, due to the dynamic form fields used by the PaperCut web application, the process becomes more complex.
To create the proof-of-concept exploit, it's necessary to use sessions and request each page individually as if using the user interface. This ensures that the form fields are correctly populated. This approach is required because the PaperCut web app uses dynamic form fields based on the previous request, making developing a script that interacts with the site more complex.
Proof of Concept and demo
Red Flags of the Attack
According to PaperCut's official advisory, which includes indicators observed during in-the-wild exploitation of the vulnerability, it is recommended to monitor the logs for suspicious activity closely. Specifically, the "Logs -> Application Log" tab may show indicators such as unfamiliar source IP addresses, unusual activity timing, and multiple events happening in rapid succession. Although most of these indicators may occur frequently, the monitoring team should carefully examine them to identify and uncover any potential attacks.
Authentication Bypass Indicator:
User "admin" first logs into the administration interface.
Settings alteration Indicator (Precursor to RCE):
User "admin" updated the configuration key "<A>" to "<B>". Specifically, the print.script.sandboxed and print-and-device.script.enabled.
Remote Code Execution Indicator:
The admin user "admin" modified the print script on printer "<printer>".
Mitigation
PaperCut MF and NG versions 22.0 have addressed these vulnerabilities with the released updates, and users should update their software to the latest available version immediately.
References:
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.