{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/paperclip-ai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip AI"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","paperclip","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003ePaperclip AI v2026.403.0 is vulnerable to OS command injection. The vulnerability resides in the execution workspace lifecycle, specifically within the \u003ccode\u003eworkspace-runtime.ts\u003c/code\u003e component. By sending a crafted \u003ccode\u003ePATCH\u003c/code\u003e request to the \u003ccode\u003e/api/execution-workspaces/:id\u003c/code\u003e endpoint, an attacker can inject arbitrary shell commands into the \u003ccode\u003ecleanupCommand\u003c/code\u003e field. When the affected workspace is archived the server executes the injected command via \u003ccode\u003echild_process.spawn(shell, [\u0026quot;-c\u0026quot;, cleanupCommand])\u003c/code\u003e. This vulnerability is exploitable in all deployment modes, including \u003ccode\u003elocal_trusted\u003c/code\u003e (zero authentication) and \u003ccode\u003eauthenticated\u003c/code\u003e (any company user). Successful exploitation allows for remote code execution with the privileges of the Paperclip server process on Linux, macOS, and Windows platforms. Proof of concept demonstrations include arbitrary file write, system information exfiltration, and GUI application launch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/companies\u003c/code\u003e to obtain a company ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/companies/{company_id}/execution-workspaces\u003c/code\u003e to enumerate execution workspaces and retrieve a workspace ID.\u003c/li\u003e\n\u003cli\u003eIf the workspace is not in an \u003ccode\u003eactive\u003c/code\u003e state, the attacker sends a \u003ccode\u003ePATCH\u003c/code\u003e request to \u003ccode\u003e/api/execution-workspaces/{workspace_id}\u003c/code\u003e with the body \u003ccode\u003e{\u0026quot;status\u0026quot;: \u0026quot;active\u0026quot;}\u003c/code\u003e to reactivate it.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePATCH\u003c/code\u003e request to \u003ccode\u003e/api/execution-workspaces/{workspace_id}\u003c/code\u003e with a JSON body containing a malicious \u003ccode\u003ecleanupCommand\u003c/code\u003e within the \u003ccode\u003econfig\u003c/code\u003e object, such as \u003ccode\u003e{\u0026quot;config\u0026quot;: {\u0026quot;cleanupCommand\u0026quot;: \u0026quot;echo RCE_PROOF \u0026gt; \\\\\u0026quot;/tmp/rce-proof.txt\\\\\u0026quot;\u0026quot;}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server stores the injected \u003ccode\u003ecleanupCommand\u003c/code\u003e in the workspace configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the command injection by sending a \u003ccode\u003ePATCH\u003c/code\u003e request to \u003ccode\u003e/api/execution-workspaces/{workspace_id}\u003c/code\u003e to archive the workspace, setting \u003ccode\u003e\u0026quot;status\u0026quot;: \u0026quot;archived\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server executes the injected command using \u003ccode\u003echild_process.spawn(shell, [\u0026quot;-c\u0026quot;, cleanupCommand])\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the Paperclip server with the privileges of the server process. This can lead to a range of severe impacts, including remote code execution, data exfiltration of sensitive information (e.g., system info, environment variables, source code), lateral movement within the network, and potential supply chain attacks by injecting backdoors into managed repositories. In \u003ccode\u003elocal_trusted\u003c/code\u003e mode, this requires zero authentication, making it easily exploitable by malicious local processes or web pages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation to the \u003ccode\u003ecleanupCommand\u003c/code\u003e and \u003ccode\u003eteardownCommand\u003c/code\u003e fields in the PATCH handler to prevent the injection of malicious commands.\u003c/li\u003e\n\u003cli\u003eImplement command allowlisting, permitting only a predefined set of safe commands for workspace cleanup.\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003espawn(shell, [\u0026quot;-c\u0026quot;, command])\u003c/code\u003e with \u003ccode\u003eexecFile()\u003c/code\u003e using an argument array to mitigate shell metacharacter injection.\u003c/li\u003e\n\u003cli\u003eImplement proper authorization checks BEFORE processing the PATCH request to validate user permissions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectPaperclipCleanupCommandInjection\u003c/code\u003e to identify attempts to exploit this vulnerability via the PATCH request to \u003ccode\u003e/api/execution-workspaces/:id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRun cleanup commands in a sandboxed environment to minimize the impact of potential exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/","summary":"A critical OS command injection vulnerability exists in Paperclip AI v2026.403.0 within the execution workspace lifecycle. By injecting arbitrary shell commands into the `cleanupCommand` field via the `PATCH /api/execution-workspaces/:id` endpoint, an attacker can execute these commands on the server when the workspace is archived.","title":"Paperclip AI OS Command Injection via Execution Workspace cleanupCommand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Paperclip AI","version":"https://jsonfeed.org/version/1.1"}