{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/paperclipai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paperclip","paperclipai","@paperclipai/server"],"_cs_severities":["critical"],"_cs_tags":["paperclip","rce","authentication-bypass","code-execution"],"_cs_type":"advisory","_cs_vendors":["Paperclip"],"content_html":"\u003cp\u003ePaperclip is vulnerable to an unauthenticated remote code execution (RCE) flaw, affecting instances running in \u003ccode\u003eauthenticated\u003c/code\u003e mode with default configurations. This vulnerability allows attackers to gain full control of the system without requiring any user interaction or credentials. The exploit chain consists of several steps, including creating an account without email verification, generating and approving a CLI authentication token, and exploiting a missing authorization check in the company import endpoint. This allows the attacker to deploy a malicious agent configured with a process adapter, enabling arbitrary command execution as the server's OS user. The vulnerability affects versions prior to 2026.410.0 of the \u003ccode\u003epaperclipai\u003c/code\u003e and \u003ccode\u003e@paperclipai/server\u003c/code\u003e npm packages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Creation:\u003c/strong\u003e The attacker creates a new account via the \u003ccode\u003e/api/auth/sign-up/email\u003c/code\u003e endpoint. No invite token or email verification is required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSign In:\u003c/strong\u003e The attacker signs in with the newly created account via the \u003ccode\u003e/api/auth/sign-in/email\u003c/code\u003e endpoint, obtaining a session cookie.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCLI Auth Challenge Creation:\u003c/strong\u003e The attacker creates a CLI auth challenge via the \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e endpoint. No authentication is needed for this step. The response includes a \u003ccode\u003etoken\u003c/code\u003e and \u003ccode\u003eboardApiToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCLI Auth Challenge Approval:\u003c/strong\u003e The attacker approves the CLI auth challenge via the \u003ccode\u003e/api/cli-auth/challenges/\u0026lt;id\u0026gt;/approve\u003c/code\u003e endpoint using the session cookie obtained in step 2. The server only verifies that the caller is a board user, not that they are the challenge creator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompany Import:\u003c/strong\u003e The attacker exploits the missing \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e check in the \u003ccode\u003e/api/companies/import\u003c/code\u003e endpoint to import a malicious company configuration. This configuration includes an agent with a \u003ccode\u003eprocess\u003c/code\u003e adapter that specifies a command to execute.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Trigger:\u003c/strong\u003e The attacker triggers the malicious agent via the \u003ccode\u003e/api/agents/\u0026lt;agent-id\u0026gt;/wakeup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The \u003ccode\u003eprocess\u003c/code\u003e adapter executes the attacker-specified command (e.g., \u003ccode\u003ebash -c \u0026quot;id \u0026gt; /tmp/pwned.txt \u0026amp;\u0026amp; ...\u0026quot;\u003c/code\u003e), resulting in code execution as the server's OS user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary commands as the Paperclip server's OS user. This grants:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eFull filesystem access (read/write as the server user)\u003c/li\u003e\n\u003cli\u003eAccess to all data in the Paperclip database\u003c/li\u003e\n\u003cli\u003eAbility to pivot to internal network services\u003c/li\u003e\n\u003cli\u003eAbility to disrupt all agent operations\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe attack is fully automated and works against the default deployment configuration, posing a critical risk to affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDisable open registration by default:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/config.ts:172\u003c/code\u003e to change \u003ccode\u003e?? false\u003c/code\u003e to \u003ccode\u003e?? true\u003c/code\u003e and document \u003ccode\u003ePAPERCLIP_AUTH_DISABLE_SIGN_UP\u003c/code\u003e in the deployment guide.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrevent CLI auth self-approval:\u003c/strong\u003e  Modify \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e around line 1700 to reject when the approving user is the same user who created the challenge.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequire email verification:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/auth/better-auth.ts:91\u003c/code\u003e to set \u003ccode\u003erequireEmailVerification: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdd \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e to the import endpoint for \u003ccode\u003enew_company\u003c/code\u003e mode:\u003c/strong\u003e Modify \u003ccode\u003eserver/src/routes/companies.ts\u003c/code\u003e, lines 161-176, to include the \u003ccode\u003eassertInstanceAdmin\u003c/code\u003e check for \u003ccode\u003ePOST /import\u003c/code\u003e and \u003ccode\u003ePOST /import/preview\u003c/code\u003e when \u003ccode\u003emode\u003c/code\u003e is set to \u003ccode\u003enew_company\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor web server logs\u003c/strong\u003e for POST requests to \u003ccode\u003e/api/companies/import\u003c/code\u003e that do not originate from an instance administrator to detect potential exploitation attempts, utilizing the rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/","summary":"An unauthenticated attacker can achieve remote code execution on Paperclip instances by exploiting multiple vulnerabilities, including open signup, self-approval of CLI authentication challenges, and missing authorization checks in the company import endpoint, leading to arbitrary command execution as the server's OS user.","title":"Paperclip Unauthenticated Remote Code Execution via Import Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Paperclipai","version":"https://jsonfeed.org/version/1.1"}