CVE : #CVE-2023–27350
Description: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM
AFFECTED VENDORS : #PaperCut
Afftected Products & version : PaperCut NG 22.0.5
PaperCut is a common printing management software that
picture to filer on sites like shodan or more
Building The Lab
first we need to download papercut product and you can get it from here
download it and follow the installtion process in belowe
go to localhost with 9191 which is the default port for papercut as the following
- Create Account set up the username and password
- Choose Organization Type it’s not required or important in this case so i will chose Education
- Set Default Costs the same as Organization type skip this by clicking next to complate the installtion process
- Sync Users .. Next
- Confirm Setup and click Confroim
- Submitting the form
And after submitting the Information the app will redirect to the dashboard automatically keep this step in mind we will mention this latter
Background Story
I was reading some blogs to gain a better understanding of how this bypass is done, and I came across many blogs that focus on Remote Code Execution (RCE) which allows the execution of pure Java code by the printer scripting feature and they fail to explain why we are able to bypass authentication by visitin this endpoint.
Some of them have made me even more confused especially when it comes to the creation or setting of this session.
So In this analysis, we are delving deep into the Authentication Bypass in PaperCut software
Reproduce The Vulnerability
First, let’s reproduce the vulnerability to gain an overview of the interaction with the application and the exploitation
The exploit of Authentication Bypass was found in this repo
And after running the exploit and give it the require input (IP address)
it’s required to visit http://localhost:9191/app?service=page/SetupCompleted first bfore going to the dashboard as shows in the exploitation
after visiting http://localhost:9191/app?service=page/SetupCompleted
was as the following:
And as shown in the picture above, we were able to log in without the credentials of admin and it’s seem like there is no validation for user Authentication when visiting the SetupCompleted was the responsible for setting up the application and submitting the installation information which was mentioned in the installation process
Static Analysis
the vulnerability was cleared in the CVE Description which says the specific flaw is the case of the Authentication Bypass in the SetupCompleted class which is responsible for this endpoint, by reviewing this class using the IDE which found in the lib that's exists in C:\Program Files\PaperCut NG\server\lib\pcng-server-20.1.6.jar path
Loading the file into the tool and was the code of this was the code as the following
public void formSubmit(IRequestCycle cycle) {
SetupData setupData = this.getSetupData();
this.getAnalyticsConfigurationService().setEnabled(this.isAnalyticsEnabled());
this.getAnalyticsConfigurationService().adminNotified();
this.clearSetupData();
Home homePage = (Home)cycle.getPage("Home");
homePage.setJavaScriptEnabled(this.isJavaScriptEnabled());
homePage.performLogin(setupData.getAdminUserName(), LoginType.Admin, false);Basically formSubmit method is responsible for handling form submissions in the application after the installtion process It retrieves the required setup data from the installation process and then proceeds to the login process. This is done by calling the performLogin method and passing the extracted setup data with parameters such as the login type and its Admin in this case
By intercepting the Request in Burp was the cookies and session
as the following :
as it appears the cookie header has been set, and the user is redirected to the User Dashboard
and by taking a look at PerformLogin method to understand formSubmit behavior more
was the code as the following :
public Boolean performLogin(String username, @Nullable LoginType preferredLoginType, boolean sso) {
return (Boolean)this.transactionHelper.runInTransaction(() -> {
LoginType loginType = this.deriveLoginType(username, preferredLoginType);
if (loginType != null) {
AccessRightList accessRights = this.authenticationManager.getUserRights(username);
accessRights = this.deriveAccessRights(loginType, accessRights);
return this.loginUser(username, accessRights, loginType, sso);
} else {
this.applicationLogManager.logWarn(this.getClass(), "Home.UserLoginFailureUnknownUser", new String[]{username});
this.setErrorMessage(this.getMessage("LOGIN_DENIED_UNKNOWN_USER"));
return false;
}
});
}The performLogin method handles the login process and authorization by checking access rights using authenticationManager.getUserRights. In this flow, the formSubmit method is used to perform the login without validating the user session, leading to a vulnerability known as session puzzling which is a logic vulnerability and this vulnerability occurs when session and authentication functions are used for multiple purposes. By exploiting this flaw, any user can access SetupCompleted, login using performLogin with administrative rights as shows in the reproduce
To gain a deeper understanding of the logic it is necessary to analyze the code’s behavior at runtime using a debugger
Dynamic Analysis
It’s not enough to analyze the code statically. Let’s examine the code’s behavior in runtime using the debugger.
To debug the software, We need to add the debugging option in java. So, when we go to the C:\Program Files\PaperCut NG\server\bin\wi` we can see the start-server.bat file
When we open it we can see that it’s calling another batch file named service-common.bat
And when we open it we can see it takes a configurations from service.conf
And here when reading service.conf we can see the JAVA options, So now let's add Remote debugging option on port 5005 to setup the java IDE with it
and now we need to restart the server and i found stop-server.bat file and start-server.bat
run the powershell as Administrator and stop and start the server as the following
./stop.server.bat to stop the server
And to .\start-server.bat to start it again
Now it’s time to setup the application with the libries to start debugging it first go to edit configration in the in the tools bar
And add Remote JVM Debug as the following
and setup the configration as the following to lisen on the Remote server debugg on the localhost on port 5005 and click Apply
And here we can see that our debugger is connected:
And now just we need to add the files and libries to decompile and start debugging
So go to project structure at tools bar of the IDE
and go to Libaries and add new prject libaries Java
And add the libaries of server of PaperCut path C:\Program Files\PaperCut NG\server\lib
and click OK to load the files
and now jar files decompiled and everything ready to start debugging as shows in the following picture:
And set the breakpoint at the SubmitForm method at biz/papercut/pcng/web/setup/SetupCompleted.class in pcng-server-web-20.1.6.jar at the loaded library we added before. So we begin with it and figure out how the session is Generated
And by clicking on the Login Button to see it in action and start debugging it
And by step in was the first in the method call in the SubmitForm was getSetupData to retrieving the setup installation information data and save it into setup.data data file and check if the data null or not
ِAnd while steping into this method i notice that the session that’s In the above picture, has the sessionid value is the same as the one found in the Burp Suite request, as JSESSIONID which mean the session was obtained by invoking the getSetupData method.
ANd then by skip the not important steps the method using this.clearSetupData() to clear the data from setup.data and checks if the key was null and handle it
And the last line of SubmitForm method was calling PerformLogin which is the method handling the login process as explianed in the static analysis with
As appear in the provided picture, the method granting access rights based on the username provided in the SubmitForm method which was admin and preferredLoginType have set to Admin which obtained from SubmitForm and passed as arguments to the method and this mean the session possesses with full access privileges to the dashboard.
Patch Diffing
- Before the patch
- After the patch
the patch was by replacing SetupData setupData = this.getSetupData(); which was retrive the setup data including Admin username to pageValidate method
as the following :
public void pageValidate(PageEvent event) {
if (!getSetupData().isConfirmed()) {WebUtils.redirectToPage(event.getRequestCycle().getPage(Home.PAGE_NAME));
}
}the app uses pageValidate to validation if the user who visited SetupCompleted page is processed by installation and Confirm step first or not by isConfirmed and if confirmed complete the method redirect the request to Dashboard through redirectToPage and this prevent the session puzling vulnerability
Mitigation
Update PaperCut NF to the last version 22.1.1
Final Thoughts
Session puzzling persists as a web vulnerability, where the reuse of session code for different purposes results in bypassing authentication and unauthorized manipulation. Our thorough analysis and debugging of the PaperCut code uncovered these overlooked vulnerabilities and now we are aware of each of this vulnerability
Resources
https://www.dltlabs.com/blog/what-is-a-session-puzzling-attack-777188
