{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/paperclip/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip","paperclipai","@paperclipai/server"],"_cs_severities":["critical"],"_cs_tags":["paperclip","rce","authentication-bypass","code-execution"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003ePaperclip is vulnerable to an unauthenticated remote code execution (RCE) flaw, affecting instances running in \u003ccode\u003eauthenticated\u003c/code\u003e mode with default configurations. This vulnerability allows attackers to gain full control of the system without requiring any user interaction or credentials. The exploit chain consists of several steps, including creating an account without email verification, generating and approving a CLI authentication token, and exploiting a missing authorization check in the company import endpoint. This allows the attacker to deploy a malicious agent configured with a process adapter, enabling arbitrary command execution as the server's OS user. The vulnerability affects versions prior to 2026.410.0 of the \u003ccode\u003epaperclipai\u003c/code\u003e and \u003ccode\u003e@paperclipai/server\u003c/code\u003e npm packages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Creation:\u003c/strong\u003e The attacker creates a new account via the \u003ccode\u003e/api/auth/sign-up/email\u003c/code\u003e endpoint. No invite token or email verification is required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSign In:\u003c/strong\u003e The attacker signs in with the newly created account via the \u003ccode\u003e/api/auth/sign-in/email\u003c/code\u003e endpoint, obtaining a session cookie.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCLI Auth Challenge Creation:\u003c/strong\u003e The attacker creates a CLI auth challenge via the \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e endpoint. No authentication is needed for this step. The response includes a \u003ccode\u003etoken\u003c/code\u003e and \u003ccode\u003eboardApiToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCLI Auth Challenge Approval:\u003c/strong\u003e The attacker approves the CLI auth challenge via the \u003ccode\u003e/api/cli-auth/challenges/\u0026lt;id\u0026gt;/approve\u003c/code\u003e endpoint using the session cookie obtained in step 2. The server only verifies that the caller is a board user, not that they are the challenge creator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompany Import:\u003c/strong\u003e The attacker exploits the missing \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e check in the \u003ccode\u003e/api/companies/import\u003c/code\u003e endpoint to import a malicious company configuration. This configuration includes an agent with a \u003ccode\u003eprocess\u003c/code\u003e adapter that specifies a command to execute.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Trigger:\u003c/strong\u003e The attacker triggers the malicious agent via the \u003ccode\u003e/api/agents/\u0026lt;agent-id\u0026gt;/wakeup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The \u003ccode\u003eprocess\u003c/code\u003e adapter executes the attacker-specified command (e.g., \u003ccode\u003ebash -c \u0026quot;id \u0026gt; /tmp/pwned.txt \u0026amp;\u0026amp; ...\u0026quot;\u003c/code\u003e), resulting in code execution as the server's OS user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary commands as the Paperclip server's OS user. This grants:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eFull filesystem access (read/write as the server user)\u003c/li\u003e\n\u003cli\u003eAccess to all data in the Paperclip database\u003c/li\u003e\n\u003cli\u003eAbility to pivot to internal network services\u003c/li\u003e\n\u003cli\u003eAbility to disrupt all agent operations\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe attack is fully automated and works against the default deployment configuration, posing a critical risk to affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDisable open registration by default:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/config.ts:172\u003c/code\u003e to change \u003ccode\u003e?? false\u003c/code\u003e to \u003ccode\u003e?? true\u003c/code\u003e and document \u003ccode\u003ePAPERCLIP_AUTH_DISABLE_SIGN_UP\u003c/code\u003e in the deployment guide.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrevent CLI auth self-approval:\u003c/strong\u003e  Modify \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e around line 1700 to reject when the approving user is the same user who created the challenge.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequire email verification:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/auth/better-auth.ts:91\u003c/code\u003e to set \u003ccode\u003erequireEmailVerification: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdd \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e to the import endpoint for \u003ccode\u003enew_company\u003c/code\u003e mode:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/routes/companies.ts\u003c/code\u003e, lines 161-176, to include the \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e check for \u003ccode\u003ePOST /import\u003c/code\u003e and \u003ccode\u003ePOST /import/preview\u003c/code\u003e when \u003ccode\u003emode\u003c/code\u003e is set to \u003ccode\u003enew_company\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor web server logs\u003c/strong\u003e for POST requests to \u003ccode\u003e/api/companies/import\u003c/code\u003e that do not originate from an instance administrator to detect potential exploitation attempts, utilizing the rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/","summary":"An unauthenticated attacker can achieve remote code execution on Paperclip instances by exploiting multiple vulnerabilities, including open signup, self-approval of CLI authentication challenges, and missing authorization checks in the company import endpoint, leading to arbitrary command execution as the server's OS user.","title":"Paperclip Unauthenticated Remote Code Execution via Import Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","remote-code-execution","paperclip"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003eA privilege escalation vulnerability exists in Paperclip, a workflow automation and orchestration tool. The vulnerability stems from insufficient validation of agent configuration updates. An attacker possessing a valid Agent API key can exploit this flaw to achieve arbitrary OS command execution on the Paperclip server host. Specifically, by sending a PATCH request to the \u003ccode\u003e/api/agents/:id\u003c/code\u003e endpoint, the attacker can modify the \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e field, injecting malicious shell commands. When the server subsequently executes the workspace provisioning routine, these injected commands are executed, bypassing the intended trust boundary between agent runtime configuration and server host execution. The vulnerability affects Paperclip versions prior to 2026.416.0. Successful exploitation leads to remote code execution on the server host, potentially allowing attackers to compromise the entire deployment environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains a valid Agent API key through legitimate means or compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePATCH\u003c/code\u003e request to the \u003ccode\u003e/api/agents/:id\u003c/code\u003e endpoint, targeting a specific agent.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePATCH\u003c/code\u003e request modifies the agent's \u003ccode\u003eadapterConfig\u003c/code\u003e, specifically injecting a malicious command into the \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e field. For example: \u003ccode\u003eecho PAPERCLIP_RCE \u0026gt; poc_rce.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers workspace provisioning by sending a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/agents/:id/wakeup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Paperclip server executes the workspace provisioning routine, which includes running the command specified in \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server executes the injected command using \u003ccode\u003e/bin/sh -c\u003c/code\u003e, effectively running arbitrary shell commands on the host.\u003c/li\u003e\n\u003cli\u003eThe injected command executes successfully, for example creating a file \u003ccode\u003epoc_rce.txt\u003c/code\u003e on the server filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Paperclip server host, enabling them to read environment variables, exfiltrate secrets, or establish a reverse shell.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker the ability to execute arbitrary commands on the Paperclip server, potentially leading to a full compromise of the deployment environment. Since Paperclip orchestrates multiple agents and repositories, attackers could read environment variables, exfiltrate secrets, modify repositories, access database credentials, execute reverse shells, and establish persistence on the host. The vulnerability allows a malicious agent to escape the orchestration layer and gain complete control over the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Paperclip Agent Configuration Modification\u003c/code\u003e to detect unauthorized modifications to the agent configuration via the API.\u003c/li\u003e\n\u003cli\u003eApply the suggested minimal patch by implementing a server-side check to reject modifications to \u003ccode\u003eadapterConfig.workspaceStrategy.provisionCommand\u003c/code\u003e when the request is authenticated using an Agent API key, as detailed in the \u0026quot;Minimal Patch Suggestion\u0026quot; section of the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003e/bin/sh -c\u003c/code\u003e with command line arguments that originate from Paperclip agent configurations using the Sigma rule \u003ccode\u003eDetect Paperclip Command Execution via Workspace Provisioning\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade to Paperclip version 2026.416.0 or later to patch the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-paperclip-privesc/","summary":"A privilege escalation vulnerability in Paperclip allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host by injecting commands into the `adapterConfig.workspaceStrategy.provisionCommand` field via the `/agents/:id` API endpoint, leading to remote code execution.","title":"Paperclip Privilege Escalation via Agent API Key","url":"https://feed.craftedsignal.io/briefs/2024-01-paperclip-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Paperclip","version":"https://jsonfeed.org/version/1.1"}