Detection with GenAI (Part 1): PaperCut (CVE-2023-27350)

Detection with GenAI (Part 1): PaperCut (CVE-2023-27350)
Photo by Una Laurencic

As part of the ITWeb Security Summit Hackathon, Snode (and partners listed below) will be hosting an Ideathon challenge, to select students for the CTF (capture the flag) event. This article is the primer (part 1) with a tutorial (part 2) to follow post the event.

The first in a series of Gen-AI experiments for prevention, detection and response.

Anyone should be able to do it; even if you have not used ChatGPT; and are new to detection or prompt engineering. The challenge is designed to be accessible to all.

Sections

  1. Background (optional)
  2. Building a PaperCut lab
  3. Vulnerability discovery
  4. Detection engineering
  5. Test detection accuracy

Background

Generative AI platforms, like ChatGPT, are more than a new way to search. Code generation using natural language prompts, is an exciting area I want to explore.

Why reinvent the wheel?

Good question! I get the feeling that vulnerability exploitation, for the most part (e.g., human operated ransomware groups), align (in most cases) to the Pareto Principle.

In other words, 90% of threat actors only leverage the top 10% of known and most commonly exploited vulnerabilities. For example, SentinelOne's Watchtower Report.

SentinelOne Watchtower End of Year 2023 report

A more detailed view, from Loginsoft's Vulnerability Intelligence Report for 2023.

Loginsoft Vulnerability Intelligence 2023 report

These top lists, align to Snode's intelligence, and will provide even greater insights:

Qualys Top 20 Most Exploited Vulnerabilities | Qualys Security Blog
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk…
Qualys Security BlogRamesh Ramachandran
2022 Top Routinely Exploited Vulnerabilities | CISA
Cybersecurity and Infrastructure Security Agency CISA

The rationale is simply to investigate if we can convert vulnerability intelligence into an automated detection (engineering) script, in a short period of time, leveraging Gen-AI.

Building a PaperCut lab

PaperCut Software provides a list of previous versions. This includes a version and build number (see screenshot below). I used vulnerable version 20.1.2, build 55844.

PaperCut version 20.1.2 with build number 55844

Simply substitute the version and build numbers in the current download link, to change to an older (vulnerable) version. This is the link I crafted for 20.1.2 (Linux):

https://cdn.papercut.com/web/products/ng-mf/installers/ng/20.x/pcng-setup-20.1.2.55844.sh

Now, you can install it on a server (or virtual appliance) in your lab environment.

Impact on the internet

Although we always perform testing and exploit development within a closed lab environment - it is important understand the scope and impact of the vulnerability.

For example, if you wanted statistics on how many PaperCut servers were accessible on the internet - you could use the Shodan:

http.html:"papercut" http.html:"print"

The insights gleaned from the data points provided are also very useful to developing a robust vulnerability detection or service fingerprinting script.

Shodan search results for PaperCut instances

Vulnerability Discovery

The PaperCut (CVE-2023-27350) vulnerability is a great choice for these experiments. This is mostly due to the simple nature of the vulnerability and exploitation techniques.

Exploitation uses a combination of two vulnerabilities:

  1. An authentication bypass vulnerability (the initial vector); and
  2. A remote code execution vector (out-of-sandbox script handling).

Authentication bypass

This is the initial vector regardless - you cant modify the PaperCut configuration and scripts; without the initial access (unless you are already a PaperCut administrator).

The attack seems simple enough, you simply access the following server resource (URL): http://x.x.x.x:yyy/app?service=page/SetupComplete

Detecting PaperCut (CVE-2023-27350)

Now, we ask ChatGPT to provide the code for detection, with a few "arguments".

ChatGPT prompt for vulnerability detection

Which returned the following python code:

import sys
import requests

def check_resource(ip_address, port):
  url = f"http://{ip_address}:{port}/app?service=page/SetupComplete"
  try:
    response = requests.get(url)
    if response.status_code == 200:
      print(f"Resource found at {url}")
    else:
      print(f"Resource not found at {url}")
  except requests.exceptions.RequestException as e:
    print("An error occurred:", e)
    
if name == "main":
  if len(sys.argv) != 3:
    print("Usage: python script.py <IP_address> ")
    sys.exit(1) 

  ip_address = sys.argv[1]
  port = sys.argv[2]

  check_resource(ip_address, port)

To run, you simply:

$ python papercut-cve-detect.py 10.10.10.10 9191

Detection Engineering

This section simply completes the detection process. The high level process is:

  1. Scan for PaperCut servers (fingerprint);
  2. Detect PaperCut CVE-2023-27350; and
  3. Test RCE (remote command execution).

Fingerprinting PaperCut servers

Grab the landing page (which failed testing), from a Shodan entry, allows us to review its source code. The code shows the frequent use of the string "PaperCut".

Source code for index.html

Detecting PaperCut server

We go back to ChatGPT and ask for code that fingerprints the PaperCut server.

Asking ChatGPT to generate a script to fingerprint PaperCut

This returned the following python script:

import sys
import requests

def check_index_content(ip_address, port):
    url = f"http://{ip_address}:{port}/index.html"
    try:
        response = requests.get(url)
        if response.status_code == 200:
            content = response.text.lower()
            if "papercut" in content:
                print("Alert: 'papercut' found in index.html content!")
            else:
                print("No alert: 'papercut' not found in index.html content.")
        else:
            print(f"Error: Couldn't fetch index.html from {url}. Status code: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print("An error occurred:", e)

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: python script.py <IP_address> <port>")
        sys.exit(1)
    
    ip_address = sys.argv[1]
    port = sys.argv[2]

    check_index_content(ip_address, port)

To run, you simply:

$ python papercut-www-detect.py 10.10.10.10 9191

Test detection accuracy

Building test case scenarios

Let's define a list of appropriate test case scenarios:

  1. Fingerprint (a) the lab and a few (2) updated servers.
  2. Test detection of our known vulnerable (lab) servers.
  3. Test detection of on lab-based (fully patched) servers.

Fingerprinting PaperCut - testing true positives

I tried to fingerprint the PaperCut lab web portal - and quickly found an issue:

python3 PaperCut_detect.py 10.10.10.10 9191
Error: Couldn't fetch index.html from http://10.10.10.10:9191/index.html. Status code: 404

Ok, that's because there is no index.html:

Screenshot showing the correct path is "/user"

So I updated the script, and ran it again:

python3 PaperCut_detect.py 10.10.10.10 9191
An error occurred: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: /user (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.10.10.10'. (_ssl.c:1000)")))

If I use the fully qualified DNS name (FQDN), taken from the SSL certificate:

python3 PaperCut_detect.py domain.name.tld 9191
Alert: PaperCut detected!

It works, so let's fix the SSL certificate mismatch (I specified "verify=False"):

I moved to another target using the IP address:

python3 PaperCut_detect.py 10.10.10.10 9191
<PATH/connectionpool.py:1103: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.10.10'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
warnings.warn(
Alert: PaperCut detected!

I got a warning message for an unverified SSL connection - but, it worked.

Fingerprint PaperCut - testing true negatives

This time I check Shodan for any servers with the default PaperCut port 9191.

If found an FTP port open and thought it would make a good test case.

Pure-FTPd running on the default PaperCut port 9191.

So, a quick test lab (with FTPd configured on port 9191), outputs the following:

python3 PaperCut_detect.py 10.10.10.10 9191
An error occurred: ('Connection aborted.', BadStatusLine('220-——— Welcome to Pure-FTPd [privsep] [TLS] -———\r\n'))

Not the most graceful (error handling) response - but it will do - for now.

PaperCut (CVE-2023-27350) - challenge

This is the component that is required for all Ideathon students interested in the CTF challenge to perform. Additionally, we would like to see the following:

  1. Graceful error handling and greater accuracy (e.g. version detection).
  2. Translate new insight to develop intrusion detection rules (e.g. Snort).
  3. Use the lab to build a post-compromise detection tool (e.g. log scripts).
  4. Test compromise and intrusion detection tools using public exploits.
  5. For bonus points - build your own exploitation script (using ChatGPT).

After the Ideathon event I'll write a tutorial (part 2) on how to complete the exercise.

Disclaimer #1 - no internet servers were harmed during the making of this blog!

Disclaimer #2 - if I got something wrong,...

Hackathon CTF Crew

This is a list of partners supporting this year's ITWeb Security Summit Hackathon CTF.

ITWeb | Business Technology Media Community
South Africa’s original online ICT publisher providing news, insights, events and videos. Trusted since 1996 by the local business technology media community.
Business Technology Media Community
Home of the Geeks
Home of the Geeks | GeekulchaTiyani Nghonyama
Telspace Africa
Telspace is a leading penetration testing provider
Telspace Africa