Researchers Uncover New Exploitation for PaperCut Vulnerability That Can Bypass Detection
Cybersecurity researchers have found a way to exploit a critical vulnerability recently revealed in PaperCut servers by bypassing all current detections.
tracked as CVE-2023-27350 (CVSS score: 9.8), this issue affects installations of PaperCut MF and NG which could be exploited by unauthenticated attackers to execute arbitrary code with SYSTEM privileges.
While the drawbacks are patched by an Australian company on 8 March 2023, the first signs of active exploitation appeared on 13 April 2023.
Since then, the vulnerability has been armed by several threat groups, including ransomware actors, with post-exploit activity that results in the execution of PowerShell commands designed to drop additional payload.
Now, VulnCheck has published a proof-of-concept (PoC) exploit that circumvents signature detection by taking advantage of the fact that “PaperCut NG and MF offer multiple paths for code execution.”
It should be noted that the public exploit for the flaw uses the PaperCut printer script interface as well execute Windows commands or drop malicious Java archive (JAR) files.
These two approaches, per VulnCheck, leave different traces in Windows System Monitor (aka Simmons) services and server log files, not to mention triggers network signature which can detect authentication bypass.
But Massachusetts-based Threat Intelligence firm says it has come up with a new method that abuses “User/Group Sync“, which makes it possible to synchronize user and group information from Active Directory, LDAP, or custom sources.
When selecting a special directory source, the user can also define a custom authentication program to validate the user’s username and password. Interestingly, the user and authentication programs can be executed in any way, although the authentication program must be interactive.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The PoC exploit was designed by VulnCheck’s bank on authentication programs designated as “/usr/sbin/python3” for Linux and “C:\Windows\System32\ftp.exe” for Windows. All that is needed for an attacker to execute arbitrary code is to provide a malicious username and password during a login attempt, the company said.
The attack method can be exploited to launch a Python backshell on Linux or download a custom backshell hosted on a remote server on Windows without enabling any known detection.
“An administrative user attacking PaperCut NG and MF could follow multiple paths to arbitrary code execution,” says VulnCheck.
“Detection that focuses on one particular method of code execution, or that focuses on a small subset of techniques used by one threat actor will be redundant in the next round of attacks. Attackers learn from public detection of defenders, so they are defenders. ” responsibility to come up with a robust detection that is not easily bypassed.”
