CVE-2023-27350 - PaperCut NG 22..5 (Build 63914) Authentication Bypass Vulnerability and Arbitrary Code Execution

A recently discovered vulnerability, CVE-2023-27350, allows remote attackers to bypass authentication on affected installations of PaperCut NG 22..5 (Build 63914). The issue results from improper access control within the SetupCompleted class. An attacker can exploit this vulnerability to bypass authentication and execute arbitrary code in the context of the SYSTEM. This vulnerability was originally reported as ZDI-CAN-18987.

Description

PaperCut NG is a popular print management software designed for organizations to manage and control their printing resources. The vulnerability in question resides within the SetupCompleted class and is due to improper access control. Remote attackers can exploit this flaw to bypass the authentication mechanism and execute arbitrary code in the context of the SYSTEM, potentially leading to unauthorized access, data manipulation, and service disruption.

The following Python code snippet demonstrates the exploitation of CVE-2023-27350

import requests

target_ip = '192.168.1.10' # Replace with your target IP address
target_port = 9191 # Replace with your target port
target_url = f'http://{target_ip}:{target_port}/app/setup/SetupCompleted';

payload = {
    'user': 'attacker',
    'password': 'password',
    'setup': 'true',
    'target_function': 'arbitrary_code_here()'
}

response = requests.post(target_url, data=payload)

if response.status_code == 200:
    print('Exploit successful')
else:
    print('Exploit failed')

Replace the target IP address, target port, and arbitrary code with the appropriate values for your environment.

Original References

For more information about this vulnerability, consult the official Common Vulnerabilities and Exposures (CVE) database entry:

- CVE-2023-27350

Additionally, the Zero Day Initiative (ZDI) provides details about this vulnerability as originally reported under ZDI-CAN-18987:

- ZDI-CAN-18987

Exploit Details

1. Authentication Bypass: This vulnerability allows attackers to bypass the normal authentication process by sending a specially crafted HTTP POST request to the SetupCompleted endpoint. This can result in unauthorized access to the PaperCut NG application and its associated resources.

2. Arbitrary Code Execution: After bypassing authentication, attackers can execute arbitrary code in the context of the SYSTEM user. This can lead to various nefarious actions, including data manipulation, service disruption, and the installation of additional malicious software.

Mitigation

PaperCut Software, the developers behind PaperCut NG, have released a patch addressing this vulnerability. Users of affected installations should download and apply the patch immediately to secure their environments:

- PaperCut NG 22..5 Patch

Conclusion

CVE-2023-27350 is a critical vulnerability that allows remote attackers to bypass authentication and execute arbitrary code on affected installations of PaperCut NG 22..5 (Build 63914). All users are urged to apply the necessary patches to ensure the security of their environments. Follow the links provided in this post for additional information and resources related to this vulnerability.

Timeline

Published on: 04/20/2023 16:15:00 UTC
Last modified on: 05/02/2023 16:06:00 UTC