Context
On May 4, 2023, VulnCheck researchers released a proof-of-concept (POC) exploit for CVE-2023-27350. According to the report, the exploit bypasses current detection options for attacks leveraging the vulnerability.
Technical Details
According to NIST, CVE-2023-27350 “allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM.” The current CVSS score for the vulnerability is 9.8 CRITICAL.
Vulncheck researchers assess that the POC they developed is different from the previous two known exploits:
- Exploits that use the PaperCut print scripting interface to execute Windows commands.
- Exploits that use the print scripting interface to drop a malicious JAR.
The VulnCheck POC proceeds as follows:
- On Linux, set the auth program to /usr/sbin/python3.
- On Windows, set the auth program to C:\Windows\System32\ftp[.]exe.
- The attacker needs to provide a malicious username and password during a login attempt.
- The inputPassword contains logic to download a binary to C:\ProgramData\ and execute it. In this case, this binary is a custom reverse shell (written in Go). The result is that cmd[.]exe is never a direct child of pc-app[.]exe. The process tree is: pc-app[.]exe -> ftp[.]exe -> cmd[.]exe -> AXtJxdUwlfJI[.]exe.
- Because this approach doesn’t use a scripting interface, this attack also doesn’t generate the expected log entries.