Experts devised a new exploit for the PaperCut flaw that can bypass all current detection

VulnCheck researchers devised a new exploit for a recently disclosed critical flaw in PaperCut servers that bypasses all current detections.

Cybersecurity researchers from VulnCheck have developed a new exploit for the recently disclosed critical flaw in PaperCut servers, tracked as CVE-2023-27350 (CVSS score: 9.8), that bypasses all current detections.

The CVE-2023-27350 flaw is a PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of SYSTEM.

On April 19th, Print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350 vulnerability.

The company received two vulnerability reports from the cybersecurity firm Trend Micro for high/critical severity security issues in PaperCut MF/NG. 

Trend Micro announced they will disclose further information (TBD) about the vulnerability on 10th May 2023.

The company addressed both vulnerabilities with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later, it highly recommends upgrading to one of these versions containing the fix.

Huntress researchers have observed post-exploitation activities within its partner environments after attackers exploited the above PaperCut MF/NG vulnerabilities.

Huntress security researcher Caleb Stewart also devised a proof-of-concept exploit for these threats, below is the video PoC shared by the company:

“From our recreated proof-of-concept, we observed child processes spawned underneath the pc-app.exe process. The screenshot below showcases a simple test of invoking PowerShell to call out to another location, demonstrating the achieved code execution.” reads the report published by Huntress.”

The researchers noticed that the domain hosting the tools employed in the attack, windowservicecemter[.]com, was registered on April 12, 2023. It is interesting to note that the domain was also hosting malware a variant of the TrueBot malware.

Today, VulnCheck experts published a proof-of-concept exploit that bypasses all published detections using a different code execution method.

The researchers explained that only two public exploit variants are publicly available:

1. Exploits that use the PaperCut print scripting interface to execute Windows commands (variations on the Horizon3.ai exploit).
2. Exploits that use the print scripting interface to drop a malicious JAR (see this Metasploit pull request).

The experts pointed out that both methods abuse the system’s built-in JavaScript interface.

“The JavaScript engine is Rhino, which also allows that user to execute arbitrary Java. PaperCut Software implemented configuration options to lessen the risk of this arbitrary code execution vector, but since the attacker has full administrative access, those protections are easily disabled.” states VulnCheck.

Currently, there are three types of detections respectively based on Sysmon (e.g. process creation analysis), log file analysis, and Network signatures.

The researchers demonstrated how to exploit the flaw abusing the “User/Group Sync” feature.

The PoC exploit devised by VulnCheck set the auth program to “/usr/sbin/python3” on Linux and “C:\Windows\System32\ftp.exe” on Windows. Threat actors can execute arbitrary code on vulnerable servers by providing a malicious username and password during a login attempt.

“An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution. Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks.” concludes the experts. “Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: 

https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PaperCut)