<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Paperclipai - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/paperclipai/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/paperclipai/feed.xml" rel="self" type="application/rss+xml"/><item><title>Paperclip Unauthenticated Remote Code Execution via Import Authorization Bypass</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/</guid><description>An unauthenticated attacker can achieve remote code execution on Paperclip instances by exploiting multiple vulnerabilities, including open signup, self-approval of CLI authentication challenges, and missing authorization checks in the company import endpoint, leading to arbitrary command execution as the server's OS user.</description><content:encoded><![CDATA[<p>Paperclip is vulnerable to an unauthenticated remote code execution (RCE) flaw, affecting instances running in <code>authenticated</code> mode with default configurations. This vulnerability allows attackers to gain full control of the system without requiring any user interaction or credentials. The exploit chain consists of several steps, including creating an account without email verification, generating and approving a CLI authentication token, and exploiting a missing authorization check in the company import endpoint. This allows the attacker to deploy a malicious agent configured with a process adapter, enabling arbitrary command execution as the server's OS user. The vulnerability affects versions prior to 2026.410.0 of the <code>paperclipai</code> and <code>@paperclipai/server</code> npm packages.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Account Creation:</strong> The attacker creates a new account via the <code>/api/auth/sign-up/email</code> endpoint. No invite token or email verification is required.</li>
<li><strong>Sign In:</strong> The attacker signs in with the newly created account via the <code>/api/auth/sign-in/email</code> endpoint, obtaining a session cookie.</li>
<li><strong>CLI Auth Challenge Creation:</strong> The attacker creates a CLI auth challenge via the <code>/api/cli-auth/challenges</code> endpoint. No authentication is needed for this step. The response includes a <code>token</code> and <code>boardApiToken</code>.</li>
<li><strong>CLI Auth Challenge Approval:</strong> The attacker approves the CLI auth challenge via the <code>/api/cli-auth/challenges/&lt;id&gt;/approve</code> endpoint using the session cookie obtained in step 2. The server only verifies that the caller is a board user, not that they are the challenge creator.</li>
<li><strong>Company Import:</strong> The attacker exploits the missing <code>assertInstanceAdmin</code> check in the <code>/api/companies/import</code> endpoint to import a malicious company configuration. This configuration includes an agent with a <code>process</code> adapter that specifies a command to execute.</li>
<li><strong>Agent Trigger:</strong> The attacker triggers the malicious agent via the <code>/api/agents/&lt;agent-id&gt;/wakeup</code> endpoint.</li>
<li><strong>Command Execution:</strong> The <code>process</code> adapter executes the attacker-specified command (e.g., <code>bash -c &quot;id &gt; /tmp/pwned.txt &amp;&amp; ...&quot;</code>), resulting in code execution as the server's OS user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an unauthenticated attacker to execute arbitrary commands as the Paperclip server's OS user. This grants:</p>
<ul>
<li>Full filesystem access (read/write as the server user)</li>
<li>Access to all data in the Paperclip database</li>
<li>Ability to pivot to internal network services</li>
<li>Ability to disrupt all agent operations</li>
</ul>
<p>The attack is fully automated and works against the default deployment configuration, posing a critical risk to affected systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Disable open registration by default:</strong> Modify <code>server/src/config.ts:172</code> to change <code>?? false</code> to <code>?? true</code> and document <code>PAPERCLIP_AUTH_DISABLE_SIGN_UP</code> in the deployment guide.</li>
<li><strong>Prevent CLI auth self-approval:</strong>  Modify <code>server/src/routes/access.ts</code> around line 1700 to reject when the approving user is the same user who created the challenge.</li>
<li><strong>Require email verification:</strong> Modify <code>server/src/auth/better-auth.ts:91</code> to set <code>requireEmailVerification: true</code>.</li>
<li><strong>Add <code>assertInstanceAdmin</code> to the import endpoint for <code>new_company</code> mode:</strong> Modify <code>server/src/routes/companies.ts</code>, lines 161-176, to include the <code>assertInstanceAdmin</code> check for <code>POST /import</code> and <code>POST /import/preview</code> when <code>mode</code> is set to <code>new_company</code>.</li>
<li><strong>Monitor web server logs</strong> for POST requests to <code>/api/companies/import</code> that do not originate from an instance administrator to detect potential exploitation attempts, utilizing the rule below.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>paperclip</category><category>rce</category><category>authentication-bypass</category><category>code-execution</category></item></channel></rss>