Cybersecurity researchers have recently uncovered a way to exploit a critical vulnerability (CVE-2023-27350, CVSS score: 9.8) in PaperCut servers, which could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. The Australian company released a patch on March 8, 2023, however, active exploitation was detected on April 13, 2023. Since then, multiple threat groups, including ransomware actors, have weaponized the vulnerability, resulting in the execution of PowerShell commands to drop additional payloads. VulnCheck has now published a proof-of-concept (PoC) exploit, which circumvents existing detection signatures by taking advantage of the fact that PaperCut NG and MF offer multiple paths to code execution. It is worth noting that public exploits for the flaw use the PaperCut printer scripting interface to either execute Windows commands or drop a malicious Java archive (JAR) file. Both these approaches, as reported by VulnCheck, leave distinct footprints in the Windows System Monitor (aka Sysmon) service and the server’s log file, as well as triggering network signatures that can detect the authentication bypass.
VulnCheck, a Massachusetts-based threat Intelligence firm, has discovered a new method of abuse which exploits the “User/Group Sync” feature of print management software. This feature enables the synchronization of user and group information from Active Directory, LDAP, or a custom source. Furthermore, users can also specify a custom authentication program to validate a user’s username and password. Notably, the user and auth programs can be any executable, although the auth program must be interactive in nature. The PoC exploit devised by VulnCheck utilizes the auth program set as “/usr/sbin/python3” for Linux and “C:\Windows\System32\ftp.exe” for Windows. An attacker can then execute arbitrary code by providing a malicious username and password during a login attempt. This attack method can be used to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server in Windows without triggering any detections.
Jacob Baines, a security researcher at VulnCheck, stated, “An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution. Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are destined to be ineffective in the next round of attacks. Attackers learn from defenders’ public detections, so it is the defenders’ responsibility to produce robust detections that are not easily bypassed.”
