Cybersecurity researchers from VulnCheck have developed a new exploit for the CVE-2023-27350 vulnerability in PaperCut servers. This exploit bypasses all current detections for the flaw, which is a PaperCut MF/NG Improper Access Control Vulnerability that allows authentication bypass and code execution in the context of SYSTEM.
On April 19th, PaperCut confirmed that it was aware of active exploitation of the vulnerability. The company addressed the vulnerability with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. Huntress researchers have observed post-exploitation activities within its partner environments after attackers exploited the vulnerability.
The VulnCheck experts pointed out that only two public exploit variants are publicly available: exploits that use the PaperCut print scripting interface to execute Windows commands, and exploits that use the print scripting interface to drop a malicious JAR.
Both methods abuse the system’s built-in JavaScript interface. VulnCheck has now published a proof-of-concept exploit that bypasses all published detections using a different code execution method.
The researchers demonstrated how to exploit the flaw abusing the “User/Group Sync” feature. The PoC exploit set the auth program to “/usr/sbin/python3” on Linux and “C:\Windows\System32\ftp.exe” on Windows. Threat actors can execute arbitrary code on vulnerable servers by providing a malicious username and password during a login attempt.
The researchers stressed that “detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks.”
Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.
Trend Micro, who reported the high/critical severity security issues in PaperCut MF/NG, announced that it will disclose further information about the vulnerability on May 10th, 2023.
It is interesting to note that the domain hosting the tools employed in the attack was registered on April 12th, 2023, and was also hosting malware, a variant of the TrueBot malware. The researchers recommend upgrading to one of the PaperCut MF and PaperCut NG versions that contain the fix.
