New Exploit Bypasses Detection for Critical PaperCut Flaw

May 4, 2023

Cybersecurity researchers have created a new exploit for the recently disclosed critical flaw in PaperCut servers, known as CVE-2023-27350, which is able to bypass all current detection methods. The flaw, with a CVSS score of 9.8, is an Improper Access Control Vulnerability in PaperCut MF/NG. It allows authentication bypass and code execution in the context of SYSTEM within the SetupCompleted class. On April 19th, print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350 vulnerability, having received two vulnerability reports from cybersecurity firm Trend Micro for high/critical severity security issues in PaperCut MF/NG. Trend Micro announced that they will disclose further information about the vulnerability on May 10th, 2023.

PaperCut addressed both vulnerabilities with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and strongly recommends upgrading to one of these versions containing the fix. Researchers at Huntress observed post-exploitation activities within its partner environments after attackers exploited the aforementioned PaperCut MF/NG vulnerabilities. Huntress security researcher Caleb Stewart also created a proof-of-concept exploit for these threats, sharing a video PoC with the company. The report published by Huntress states, “From our recreated proof-of-concept, we observed child processes spawned underneath the pc-app.exe process. The screenshot below showcases a simple test of invoking PowerShell to call out to another location, demonstrating the achieved code execution.”

The researchers found that the domain hosting the tools used in the attack, windowservicecemter[.]com, was registered on April 12, 2023. Interestingly, the domain was also hosting a variant of the TrueBot malware. Recently, experts published a proof-of-concept exploit that bypasses all published detections using a different code execution method. They explained that only two public exploit variants are currently available, both of which abuse the system’s built-in JavaScript interface. According to the researchers, “The JavaScript engine is Rhino, which also allows that user to execute arbitrary Java. PaperCut Software implemented configuration options to lessen the risk of this arbitrary code execution vector, but since the attacker has full administrative access, those protections are easily disabled.”

Presently, there are three types of detections based on Sysmon (e.g. process creation analysis), log file analysis, and network signatures. The researchers demonstrated how to exploit the flaw using the “User/Group Sync” feature. The PoC exploit set the auth program to “/usr/sbin/python3” on Linux and “C:WindowsSystem32ftp.exe” on Windows. By providing a malicious username and password during a login attempt, threat actors can execute arbitrary code on vulnerable servers. The experts concluded, “An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution. Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks.” They added, “Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.”

Related News

• Clop and LockBit Ransomware Gangs Target PaperCut Servers
• PaperCut Flaw Exploited to Hijack Servers: Patch Urged
• PaperCut Alerts Users of Exploited Vulnerability in Print Management Systems

Latest News

• Cisco Alert: Critical RCE Vulnerability in EoL SPA112 Phone Adapters
• Brightline Data Breach Affects Over 780K Pediatric Mental Health Patients
• DoS Vulnerabilities Discovered in Widely-Used BGP Implementation
• China's Cyberattack Tradecraft Evolves, Targets Fortinet Firewalls
• Fortinet Reports Surge in Attacks on TBK DVR Devices