CVE-2023-27350: An Authentication Bypass Vulnerability in PaperCut MF/NG

Affected Versions

The vulnerability affects PaperCut MF/NG versions 8.0 and above, but prior to versions 20.1.7, 21.2.11, or 22.0.9.

Impact

An attacker with access to the vulnerable web interface could exploit this vulnerability to gain SYSTEM privileges on the target system. This could allow them to take control of the system and execute arbitrary commands.

Mitigation

The vulnerability has been fixed in PaperCut MF/NG versions 20.1.7, 21.2.11, and 22.0.9. Users should update to the latest version of PaperCut MF/NG to mitigate this vulnerability.

Remediation

If you are unable to update to the latest version of PaperCut MF/NG, you can mitigate the vulnerability by disabling the SetupCompleted class. To do this, you can edit the papercut.properties file and add the following line:

setupcompleted.class=disabled

Once you have added this line, you can save the papercut.properties file and restart the PaperCut MF/NG service.

Shodan Dorks:

  • http.html:"papercut"

  • http.html:"papercut" port:9191

  • http.title:"PaperCut Login"

Technical Details

The vulnerability in CVE-2023-27350 exists in the SetupCompleted class. This class is responsible for processing the results of the setup wizard. When the setup wizard is completed, the SetupCompleted class is called. The SetupCompleted class checks to see if the user has entered a valid license key. If the user has entered a valid license key, the SetupCompleted class proceeds to install PaperCut MF/NG. If the user has not entered a valid license key, the SetupCompleted class displays an error message.

The issue with the SetupCompleted class is that it does not properly validate the "service" parameter in URL requests. This allows attackers to pass arbitrary values to the "service" parameter, which can then be used to access protected pages or execute arbitrary code.

For example, an attacker could pass the following value to the "service" parameter:

/app?service=page/SetupCompleted?command=ls

This would cause the SetupCompleted class to execute the ls command on the PaperCut server. This would allow the attacker to list the contents of the current directory on the server.

Similarly, an attacker could also pass the following value to the "service" parameter:

/app?service=page/Dashboard

This would cause the SetupCompleted class to redirect the attacker to the Dashboard page, which is accessible to users who have logged in to the PaperCut application. If the attacker is not logged in, they would be able to bypass authentication and access the Dashboard page.

Summary

CVE-2023-27350 is an authentication bypass vulnerability in PaperCut MF/NG print management software. The vulnerability exists in the SetupCompleted class, which is responsible for processing the results of the setup wizard. The vulnerability can be exploited by an attacker to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets. Users should update to the latest version of PaperCut MF/NG to mitigate this vulnerability. If you are unable to update to the latest version of PaperCut MF/NG, you can mitigate the vulnerability by disabling the SetupCompleted class.

CVE-2021-3129 Proof of Concept: In-Depth Exploration of the Laravel Ignition RCE Vulnerability
CVE-2021-3129 Proof of Concept: In-Depth Exploration of the Laravel Ignition RCE Vulnerability
2024-02-14
James McGill
Cracking Containers: Understanding CVE-2024-21626 in runc
Cracking Containers: Understanding CVE-2024-21626 in runc
2024-02-18
James McGill
Unraveling Arbitrary Code Execution in Apache Commons Text (CVE-2022-42889) with PoC
Unraveling Arbitrary Code Execution in Apache Commons Text (CVE-2022-42889) with PoC
2024-01-13
James McGill
CVE-2023-32315: Understanding the Openfire Admin Console Path Traversal Vulnerability
CVE-2023-32315: Understanding the Openfire Admin Console Path Traversal Vulnerability
2024-02-07
James McGill
CVE-2024-23897: A Critical RCE Vulnerability in Jenkins
CVE-2024-23897: A Critical RCE Vulnerability in Jenkins
2024-01-29
James McGill
Demystifying CVE-2021-4034: Unpacking the Polkit pkexec RCE Vulnerability
Demystifying CVE-2021-4034: Unpacking the Polkit pkexec RCE Vulnerability
2024-01-21
James McGill