The JavaScript engine is Rhino, which also allows that user to execute arbitrary Java. In both cases, the attacker abuses the system’s built-in JavaScript interface. Exploits that use the print scripting interface to drop a malicious JAR (see this Metasploit pull request).Exploits that use the PaperCut print scripting interface to execute Windows commands (variations on the Horizon3.ai exploit).Microsoft attributes attacks in mid-April to TA505.Īt the time of writing, two public exploit variants use CVE-2023-27350 and execute arbitrary code on PaperCut NG and MF: In this blog, we detail one such path and show how an attacker can avoid existing detections based on the defender's incorrect assumptions.īefore diving into the new code execution path, let’s look at the history of this vulnerability and survey the current exploits and detections that the security community has published. How did this happen? PaperCut NG and MF offer multiple paths to code execution. However, VulnCheck researchers have found a proof-of-concept exploit that bypasses all published detections from Huntress, Horizon3.ai, Emerging Threats and Microsoft. Multiple security organizations have published exploit detections and indicators of compromise that assume attackers are executing code through PaperCut’s built-in scripting interface. The exploited vulnerability would later be assigned CVE-2023-27350. In mid-April, attackers began exploiting a vulnerability in PaperCut NG and MF. This ensures that their jobs list in the queue under their username.Since attackers learn from defenders' public detections, it's the defenders’ responsibility to produce robust detections that aren’t easily bypassed. Instruct each user to log onto their workstation using an account with the same username and password as set up for them on the nominated host system. Install the PaperCut NG/MF server software and complete the configuration wizard. Set permission on the printer so only these users can access the printer shares (i.e. ![]() On the nominated host system, set up user accounts for all users via User Accounts in the Windows Control Panel. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. A good example would be a teacher approving printing on an expensive color printer. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. ![]() In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. ![]() This should also be performed for any system running a Release Station Print Release Stations place a print job on hold and allow users to release it when required. On the General tab, select Account is disabled. Right-click the Guest user then select Properties. Open the Local Users screen: Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users On the nominated host system, ensure that the Guest account is disabled. Set up the printers and share with appropriate names. Nominate a system to host the printers and the PaperCut NG/MF server software. Option 1: Common username and passwords on all systems Available in PaperCut NG and PaperCut MF.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |