CVE-2023-27350
PaperCut NG 22.0.5 Build 63914 authentication bypass
"This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914).
Authentication is not required to exploit this vulnerability.The specific flaw exists within the SetupCompleted class. The issue results from improper access control.
An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987. "
-nvd.nist.gov
Papercut is a popular print management software with an online dashboard.
Exploiting this vulnerability is pretty simple, by making 2 very simple GET requests on any browser at the following URL query strings:
/app?service=page/SetupCompleted and subsequently /app?service=page/Dashboard
Doing this, we trick the server into believing that we are already authenticated, allowing to access the dashboard.
[*] dashboard_sample.png
Looking for vulnerable targets
Reading some tweets and searching on shodan i realized that most of vulnerable hosts (like more than 90%) have the same icon hash, -626462482.
Using FOFA (Shodan-like internet search engine) with the query icon_hash="-626462482", a i could get lot of more indexed results.
[*] fofa_results.png