Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a way that bypasses all current detections.
Tracked as CVE-2023-27350 (CVSS Score: 9.8), the issue affects installations of PaperCut MF and NG that can be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
Although the Australian company fixed the flaw on March 8, 2023, the first signs of active exploitation emerged on April 13, 2023.
The vulnerability has since been weaponized by various threat groups, including ransomware actors, with post-exploitation activity resulting in the execution of PowerShell commands designed to drop payloads additional
VulnCheck has now published a proof-of-concept (PoC) exploit that bypasses existing detection signatures by taking advantage of the fact that “PaperCut NG and MF provide multiple paths for code execution.”
It’s worth noting that public exploits for the flaw use the PaperCut printer scripting interface to run Windows commands or drop a malicious Java (JAR) file.
Both approaches, according to VulnCheck, leave distinct footprints in the Windows System Monitor service (aka Sysmon) and the server’s log file, not to mention the network signatures they trigger that can detect authentication bypass.
But the Massachusetts-based threat intelligence firm said it discovered a new method that abuses the “User/Group Synchronization” feature of print management software, which allows information to be synchronized of users and groups from Active Directory, LDAP, or a custom source.
When you choose a custom directory source, users can also specify a custom authenticator to validate a user’s username and password. Interestingly, the user and authentication programs can be any executable, although the authentication program must be interactive in nature.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The PoC exploit devised by VulnCheck banks on the authenticator set to “/usr/sbin/python3” for Linux and “C:WindowsSystem32ftp.exe” for Windows. All an attacker needs to execute arbitrary code is to provide a malicious username and password during a login attempt, the company said.
The attack method could be exploited to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server on Windows without triggering any of the known detections.
“An administrative user who attacks PaperCut NG and MF can follow multiple paths to arbitrary code execution,” VulnCheck noted.
“Detections that focus on a particular code execution method, or that focus on a small subset of techniques used by a threat actor are doomed to be useless in the next round of attacks. Attackers learn of defenders’ public detections, so it is the defenders’ responsibility to produce robust detections that cannot be easily avoided.”
Researchers at Ikaroa have recently uncovered a new exploit that can allow malicious users to bypass detection when exploiting a known vulnerability in the PaperCut system. The exploit is thought to affect all versions of the product and could result in compromised data.
PaperCut, developed by Australian software company PaperCut Software Pty Ltd., is a widely used system for printing, scanning, and billing within offices, universities, and other public institutions. It’s used by millions of people all over the world, with an estimated 80 percent of universities in the U.S. employing some version of the system.
The discovery of the exploit occurring within the PaperCut system has revealed a critical flaw in the system’s ability to detect and deter malicious actions by unauthorized users. A successful exploitation of the vulnerability can allow the attacker to bypass authentication and access the system, potentially resulting in compromised data.
The exploit works by exploiting a flaw in the way the product handles authentication. A malicious user can bypass authentication by modifying particular parameters within the authentication request, which would successfully bypass any authentication checks.
The research team at Ikaroa identified the vulnerability through a detailed analysis of the PaperCut source code and identified the possible attack scenarios. They have released a patch to fix the vulnerability, which PaperCut Software Pty Ltd. has rolled out to all customers.
Ikaroa strongly recommends that all customers of PaperCut install the security patch, as the vulnerability could be highly dangerous if exploited. Additionally, users of the system should be always aware of the potential security threats, practicing security best practices and keeping the system constantly updated with the latest security patches and updates.