<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Paperclip AI - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/paperclip-ai/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/paperclip-ai/feed.xml" rel="self" type="application/rss+xml"/><item><title>Paperclip AI OS Command Injection via Execution Workspace cleanupCommand</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/</guid><description>A critical OS command injection vulnerability exists in Paperclip AI v2026.403.0 within the execution workspace lifecycle. By injecting arbitrary shell commands into the `cleanupCommand` field via the `PATCH /api/execution-workspaces/:id` endpoint, an attacker can execute these commands on the server when the workspace is archived.</description><content:encoded><![CDATA[<p>Paperclip AI v2026.403.0 is vulnerable to OS command injection. The vulnerability resides in the execution workspace lifecycle, specifically within the <code>workspace-runtime.ts</code> component. By sending a crafted <code>PATCH</code> request to the <code>/api/execution-workspaces/:id</code> endpoint, an attacker can inject arbitrary shell commands into the <code>cleanupCommand</code> field. When the affected workspace is archived the server executes the injected command via <code>child_process.spawn(shell, [&quot;-c&quot;, cleanupCommand])</code>. This vulnerability is exploitable in all deployment modes, including <code>local_trusted</code> (zero authentication) and <code>authenticated</code> (any company user). Successful exploitation allows for remote code execution with the privileges of the Paperclip server process on Linux, macOS, and Windows platforms. Proof of concept demonstrations include arbitrary file write, system information exfiltration, and GUI application launch.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a <code>GET</code> request to <code>/api/companies</code> to obtain a company ID.</li>
<li>The attacker sends a <code>GET</code> request to <code>/api/companies/{company_id}/execution-workspaces</code> to enumerate execution workspaces and retrieve a workspace ID.</li>
<li>If the workspace is not in an <code>active</code> state, the attacker sends a <code>PATCH</code> request to <code>/api/execution-workspaces/{workspace_id}</code> with the body <code>{&quot;status&quot;: &quot;active&quot;}</code> to reactivate it.</li>
<li>The attacker crafts a <code>PATCH</code> request to <code>/api/execution-workspaces/{workspace_id}</code> with a JSON body containing a malicious <code>cleanupCommand</code> within the <code>config</code> object, such as <code>{&quot;config&quot;: {&quot;cleanupCommand&quot;: &quot;echo RCE_PROOF &gt; \\&quot;/tmp/rce-proof.txt\\&quot;&quot;}}</code>.</li>
<li>The server stores the injected <code>cleanupCommand</code> in the workspace configuration.</li>
<li>The attacker triggers the command injection by sending a <code>PATCH</code> request to <code>/api/execution-workspaces/{workspace_id}</code> to archive the workspace, setting <code>&quot;status&quot;: &quot;archived&quot;</code>.</li>
<li>The server executes the injected command using <code>child_process.spawn(shell, [&quot;-c&quot;, cleanupCommand])</code>.</li>
<li>The attacker achieves remote code execution on the server, potentially leading to data exfiltration, lateral movement, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the Paperclip server with the privileges of the server process. This can lead to a range of severe impacts, including remote code execution, data exfiltration of sensitive information (e.g., system info, environment variables, source code), lateral movement within the network, and potential supply chain attacks by injecting backdoors into managed repositories. In <code>local_trusted</code> mode, this requires zero authentication, making it easily exploitable by malicious local processes or web pages.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply input validation to the <code>cleanupCommand</code> and <code>teardownCommand</code> fields in the PATCH handler to prevent the injection of malicious commands.</li>
<li>Implement command allowlisting, permitting only a predefined set of safe commands for workspace cleanup.</li>
<li>Replace <code>spawn(shell, [&quot;-c&quot;, command])</code> with <code>execFile()</code> using an argument array to mitigate shell metacharacter injection.</li>
<li>Implement proper authorization checks BEFORE processing the PATCH request to validate user permissions.</li>
<li>Deploy the Sigma rule <code>DetectPaperclipCleanupCommandInjection</code> to identify attempts to exploit this vulnerability via the PATCH request to <code>/api/execution-workspaces/:id</code>.</li>
<li>Run cleanup commands in a sandboxed environment to minimize the impact of potential exploits.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>paperclip</category><category>vulnerability</category></item></channel></rss>