CVE-2023-27350: Authentication Bypass in PaperCut MF/NG

July 3, 2023
Muhammad Kamran Hasan
CVE-2023-27350
Unauthenticated remote code executionUnauthenticated remote code executionArbitrary code execution
SYSTEM user privilege escalation
Vulnerable targets
Security risk
System compromise
Exploitation of CVE-2023-27350
Authentication Bypass
CVE-2023-27350: Authentication Bypass in PaperCut MF/NG

Affected Versions

The vulnerability affects PaperCut MF/NG versions 8.0 and above, but prior to versions 20.1.7, 21.2.11, or 22.0.9.

Impact

An attacker with access to the vulnerable web interface could exploit this vulnerability to gain SYSTEM privileges on the target system. This could allow them to take control of the system and execute arbitrary commands.

Mitigation

The vulnerability has been fixed in PaperCut MF/NG versions 20.1.7, 21.2.11, and 22.0.9. Users should update to the latest version of PaperCut MF/NG to mitigate this vulnerability.

Remediation

If you are unable to update to the latest version of PaperCut MF/NG, you can mitigate the vulnerability by disabling the SetupCompleted class. To do this, you can edit the papercut.properties file and add the following line:

setupcompleted.class=disabled

Once you have added this line, you can save the papercut.properties file and restart the PaperCut MF/NG service.

Shodan Dorks:

  • http.html:"papercut"

  • http.html:"papercut" port:9191

  • http.title:"PaperCut Login"

Technical Details

The vulnerability in CVE-2023-27350 exists in the SetupCompleted class. This class is responsible for processing the results of the setup wizard. When the setup wizard is completed, the SetupCompleted class is called. The SetupCompleted class checks to see if the user has entered a valid license key. If the user has entered a valid license key, the SetupCompleted class proceeds to install PaperCut MF/NG. If the user has not entered a valid license key, the SetupCompleted class displays an error message.

The issue with the SetupCompleted class is that it does not properly validate the "service" parameter in URL requests. This allows attackers to pass arbitrary values to the "service" parameter, which can then be used to access protected pages or execute arbitrary code.

For example, an attacker could pass the following value to the "service" parameter:

/app?service=page/SetupCompleted?command=ls

This would cause the SetupCompleted class to execute the ls command on the PaperCut server. This would allow the attacker to list the contents of the current directory on the server.

Similarly, an attacker could also pass the following value to the "service" parameter:

/app?service=page/Dashboard

This would cause the SetupCompleted class to redirect the attacker to the Dashboard page, which is accessible to users who have logged in to the PaperCut application. If the attacker is not logged in, they would be able to bypass authentication and access the Dashboard page.

Summary

CVE-2023-27350 is an authentication bypass vulnerability in PaperCut MF/NG print management software. The vulnerability exists in the SetupCompleted class, which is responsible for processing the results of the setup wizard. The vulnerability can be exploited by an attacker to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets. Users should update to the latest version of PaperCut MF/NG to mitigate this vulnerability. If you are unable to update to the latest version of PaperCut MF/NG, you can mitigate the vulnerability by disabling the SetupCompleted class.

CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
2024-10-26
Kamran Hasan
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
2024-05-26
James McGill
CVE-2021-43798: Path Traversal in Grafana
CVE-2021-43798: Path Traversal in Grafana
2024-03-30
James McGill
CVE-2021-3129: Remote Code Execution in Laravel
CVE-2021-3129: Remote Code Execution in Laravel
2024-02-14
James McGill
CVE-2024-28116: Server-Side Template Injection in Grav CMS
CVE-2024-28116: Server-Side Template Injection in Grav CMS
2024-03-24
James McGill
CVE-2022-42889: Remote Code Execution in Apache Commons Text
CVE-2022-42889: Remote Code Execution in Apache Commons Text
2024-01-13
James McGill