Discussione Exploiting CVE 2023-27350 and smashing Avast into a wall (performed on my own P-NG implant)

Discussione chiusa ad ulteriori risposte.

Access Denied

Utente Emerald
17 Gennaio 2022
Ultima modifica:
Papercut NG, which sadly, it's not Papercut from Linkin Park, it's a cross-platform compatible web-application hosted on a server. The software is intended for managing and optimizing printing tasks in a corporate environment.

I'm writing this thread becouse I found multiple installations of Papercut NG servers exposed on WAN, and some of them are located in Italy. Honestly, I don't know if they may be vulnerable or patched, since I have no authorization to conduct tests on these remote devices from their owners, thus I'm exploiting my most powerful ethical hacking tools: code of conduct and costructive communication.
In this thread, I will teach you how to recognize a CVE-2023-27350 attack, and how to completely prevent it.

First of all, how to prevent exploitation?
PaperCut NG Authentication Bypass affecting the below versions:
8.0.0 to 19.2.7 (inclusive)- version 20.0.0 to 20.1.6 (inclusive)- version 21.0.0 to 21.2.10 (inclusive)- version 22.0.0 to 22.0.8 (inclusive). This mean that updating the implant to the last version will be enough to patch the issue, since this exploit has been disclosed, and the Papercut engineers team acknowledged it.

How to tell if you were exploited?
The exploit will change the server configuration to succeed, these configuration changes are reported in the server logs. If you notice anomalous conf changes in your server logs, the vulnerability has been exploited. I will cover these changes during explanation.

Exploit description and effects:
The exploit is safe-to-run, the exploited device will not experience visible signs of compromising (you will not notice until logs are checked), and it can be fired multiple times against the same host (unlickely buffer overflow exploits, which cause applications to quit). That means that the Papercut NG exploit is stable, thus extremely powerful. A successful exploitation attempt result in the execution of java-based code under the context of "root" on Linux/Mac, or "nt-authority" in Windows. Since this is an exploit code, most EDRs can truly do nothing to stop it, you shall update to the last version of the webapp to get rid of it. Don't rely too much on AVs, becouse antiviruses are merely a meme. They are too easy to circumvent. The only way to truly prevent an exploit, is fixing the vulnerability that let it work. Avast EDR incorporated a feature called "exploit shield", but they still need to work a lot to make it solid. I'm not telling that you should uninstall your EDR, becouse it can still block attacks from very stupid guys, but it will not and never work against coding veterans like the moderators of this forum. Luckily, our moderators are not malicious cyber-criminals, so you will never get hacked by one of them, but imagine if you get targeted by a skilled criminal who can do that, you will end in trouble.

Here is a recap of what I did in my lab, I've tested the exploit against P-NG v. 19.2.6 on my Windows device. The goal of the experiment was to shred thru' Avast defences with the exploit and deploy a java-based Meterpreter payload in my own system. The first attempt failed, since Avast is pretty aware of Meterpreter shells, becouse they are extremely popular among hackers of all skill levels, even easy and powerful at the same time.

You can notice how the exploit tries to change configuration paths on the implant, reading the verbose output, you can look at the "Setting server options" being changed in the exploitation process. All these changes, as said above, are reported in the logs and can be documented for a potential investigation.

However, our EDR showcased a very Cringe performance against a simple command shell, resulting in gaining access and control on my own device as nt-authority. I bet it happened becouse no one "likes" CMD Windows command shell, script kiddies and bad security researchers don't find it "cool" like Meterpreter.

There are some final notes I need to highlight before ending the thread.
The Metasploit Framework (my favorite hacking tool) is configured to launch this exploit exclusively on LAN, since this tool is intended for hackers who prioritize conduct over skills. You may be able to launch it on WAN if your device natively support enhanced server features, but at your own risk. As the ethical hacking community always pinpoint, you are the unique responsible of your actions, and you know, open-source exploits are merely intended for studying (if you are just an amateur ethical hacker like me), or to Actively support vulnerable companies (if you are a certified worker). Good luck.

Comments are welcome to add specific technical informations to the existing thread (italian/english langs are both allowed). I'm afraid of missing some technical details, but the big part was covered.
Discussione chiusa ad ulteriori risposte.