CVE-2023-39143 PaperCut File Upload RCE Security Vulnerability: What is it?
CVE-2023-39143 allows potential unauthorized attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server, with the possibility of remote code execution in specific configurations.
Specifically, this vulnerability affects PaperCut servers running on Windows. When external device integration setting is enabled, remote code execution becomes possible through file uploads. This setting is open by default in certain installations, such as the PaperCut NG Commercial version or PaperCut MF.
Based on real-world examples collected from Horizon3, we estimate that the majority of PaperCut installations have the external device integration setting enabled on Windows.
Exploitability
PaperCut has drawn the attention of threat actors. Earlier this year, threat actors initiated campaigns targeting PaperCut servers with the previously disclosed unauthenticated remote code execution vulnerability, CVE-2023-27350.
In comparison to CVE-2023-27350, CVE-2023-39143 does not require threat actors to have any pre-existing privileges and does not necessitate any user interaction.
Unlike CVE-2023-27350, CVE-2023-39143 is a more complex exploit requiring the assembly of multiple issues to compromise a server. It is not a straightforward "one-shot" RCE vulnerability.
Detection
The following command checks if a PaperCut server is unpatched and running on Windows.
Kod:
curl -w "%{http_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png"A 200 response indicates that the server is unpatched and running on Windows. A 404 response indicates that the server has been patched or is not running on Windows.
Solution
As of our current writing, we recommend upgrading to the latest version of PaperCut NG/MF, which is version 22.1.3.
If upgrading is not possible, it is advisable to take preventive measures by configuring an allow list of device IP addresses that are allowed to communicate with the PaperCut server to manage this vulnerability. Refer to the "IP Address Allow List" section in the PaperCut security best practices guide for guidance.
Source : https://www.turkhackteam.org/konula...sya-yukleme-rce-guvenlik-acigi-nedir.2048229/
As of our current writing, we recommend upgrading to the latest version of PaperCut NG/MF, which is version 22.1.3.
If upgrading is not possible, it is advisable to take preventive measures by configuring an allow list of device IP addresses that are allowed to communicate with the PaperCut server to manage this vulnerability. Refer to the "IP Address Allow List" section in the PaperCut security best practices guide for guidance.
Source : https://www.turkhackteam.org/konula...sya-yukleme-rce-guvenlik-acigi-nedir.2048229/
