<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Paperclip - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/paperclip/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/paperclip/feed.xml" rel="self" type="application/rss+xml"/><item><title>Paperclip Unauthenticated Remote Code Execution via Import Authorization Bypass</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-paperclip-rce/</guid><description>An unauthenticated attacker can achieve remote code execution on Paperclip instances by exploiting multiple vulnerabilities, including open signup, self-approval of CLI authentication challenges, and missing authorization checks in the company import endpoint, leading to arbitrary command execution as the server's OS user.</description><content:encoded><![CDATA[<p>Paperclip is vulnerable to an unauthenticated remote code execution (RCE) flaw, affecting instances running in <code>authenticated</code> mode with default configurations. This vulnerability allows attackers to gain full control of the system without requiring any user interaction or credentials. The exploit chain consists of several steps, including creating an account without email verification, generating and approving a CLI authentication token, and exploiting a missing authorization check in the company import endpoint. This allows the attacker to deploy a malicious agent configured with a process adapter, enabling arbitrary command execution as the server's OS user. The vulnerability affects versions prior to 2026.410.0 of the <code>paperclipai</code> and <code>@paperclipai/server</code> npm packages.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Account Creation:</strong> The attacker creates a new account via the <code>/api/auth/sign-up/email</code> endpoint. No invite token or email verification is required.</li>
<li><strong>Sign In:</strong> The attacker signs in with the newly created account via the <code>/api/auth/sign-in/email</code> endpoint, obtaining a session cookie.</li>
<li><strong>CLI Auth Challenge Creation:</strong> The attacker creates a CLI auth challenge via the <code>/api/cli-auth/challenges</code> endpoint. No authentication is needed for this step. The response includes a <code>token</code> and <code>boardApiToken</code>.</li>
<li><strong>CLI Auth Challenge Approval:</strong> The attacker approves the CLI auth challenge via the <code>/api/cli-auth/challenges/&lt;id&gt;/approve</code> endpoint using the session cookie obtained in step 2. The server only verifies that the caller is a board user, not that they are the challenge creator.</li>
<li><strong>Company Import:</strong> The attacker exploits the missing <code>assertInstanceAdmin</code> check in the <code>/api/companies/import</code> endpoint to import a malicious company configuration. This configuration includes an agent with a <code>process</code> adapter that specifies a command to execute.</li>
<li><strong>Agent Trigger:</strong> The attacker triggers the malicious agent via the <code>/api/agents/&lt;agent-id&gt;/wakeup</code> endpoint.</li>
<li><strong>Command Execution:</strong> The <code>process</code> adapter executes the attacker-specified command (e.g., <code>bash -c &quot;id &gt; /tmp/pwned.txt &amp;&amp; ...&quot;</code>), resulting in code execution as the server's OS user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an unauthenticated attacker to execute arbitrary commands as the Paperclip server's OS user. This grants:</p>
<ul>
<li>Full filesystem access (read/write as the server user)</li>
<li>Access to all data in the Paperclip database</li>
<li>Ability to pivot to internal network services</li>
<li>Ability to disrupt all agent operations</li>
</ul>
<p>The attack is fully automated and works against the default deployment configuration, posing a critical risk to affected systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Disable open registration by default:</strong> Modify <code>server/src/config.ts:172</code> to change <code>?? false</code> to <code>?? true</code> and document <code>PAPERCLIP_AUTH_DISABLE_SIGN_UP</code> in the deployment guide.</li>
<li><strong>Prevent CLI auth self-approval:</strong>  Modify <code>server/src/routes/access.ts</code> around line 1700 to reject when the approving user is the same user who created the challenge.</li>
<li><strong>Require email verification:</strong> Modify <code>server/src/auth/better-auth.ts:91</code> to set <code>requireEmailVerification: true</code>.</li>
<li><strong>Add <code>assertInstanceAdmin</code> to the import endpoint for <code>new_company</code> mode:</strong> Modify <code>server/src/routes/companies.ts</code>, lines 161-176, to include the <code>assertInstanceAdmin</code> check for <code>POST /import</code> and <code>POST /import/preview</code> when <code>mode</code> is set to <code>new_company</code>.</li>
<li><strong>Monitor web server logs</strong> for POST requests to <code>/api/companies/import</code> that do not originate from an instance administrator to detect potential exploitation attempts, utilizing the rule below.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>paperclip</category><category>rce</category><category>authentication-bypass</category><category>code-execution</category></item><item><title>Paperclip Privilege Escalation via Agent API Key</title><link>https://feed.craftedsignal.io/briefs/2024-01-paperclip-privesc/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-paperclip-privesc/</guid><description>A privilege escalation vulnerability in Paperclip allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host by injecting commands into the `adapterConfig.workspaceStrategy.provisionCommand` field via the `/agents/:id` API endpoint, leading to remote code execution.</description><content:encoded><![CDATA[<p>A privilege escalation vulnerability exists in Paperclip, a workflow automation and orchestration tool. The vulnerability stems from insufficient validation of agent configuration updates. An attacker possessing a valid Agent API key can exploit this flaw to achieve arbitrary OS command execution on the Paperclip server host. Specifically, by sending a PATCH request to the <code>/api/agents/:id</code> endpoint, the attacker can modify the <code>adapterConfig.workspaceStrategy.provisionCommand</code> field, injecting malicious shell commands. When the server subsequently executes the workspace provisioning routine, these injected commands are executed, bypassing the intended trust boundary between agent runtime configuration and server host execution. The vulnerability affects Paperclip versions prior to 2026.416.0. Successful exploitation leads to remote code execution on the server host, potentially allowing attackers to compromise the entire deployment environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker obtains a valid Agent API key through legitimate means or compromise.</li>
<li>The attacker sends a <code>PATCH</code> request to the <code>/api/agents/:id</code> endpoint, targeting a specific agent.</li>
<li>The <code>PATCH</code> request modifies the agent's <code>adapterConfig</code>, specifically injecting a malicious command into the <code>adapterConfig.workspaceStrategy.provisionCommand</code> field. For example: <code>echo PAPERCLIP_RCE &gt; poc_rce.txt</code>.</li>
<li>The attacker triggers workspace provisioning by sending a <code>POST</code> request to the <code>/api/agents/:id/wakeup</code> endpoint.</li>
<li>The Paperclip server executes the workspace provisioning routine, which includes running the command specified in <code>adapterConfig.workspaceStrategy.provisionCommand</code>.</li>
<li>The server executes the injected command using <code>/bin/sh -c</code>, effectively running arbitrary shell commands on the host.</li>
<li>The injected command executes successfully, for example creating a file <code>poc_rce.txt</code> on the server filesystem.</li>
<li>The attacker gains remote code execution on the Paperclip server host, enabling them to read environment variables, exfiltrate secrets, or establish a reverse shell.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability grants an attacker the ability to execute arbitrary commands on the Paperclip server, potentially leading to a full compromise of the deployment environment. Since Paperclip orchestrates multiple agents and repositories, attackers could read environment variables, exfiltrate secrets, modify repositories, access database credentials, execute reverse shells, and establish persistence on the host. The vulnerability allows a malicious agent to escape the orchestration layer and gain complete control over the server.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Paperclip Agent Configuration Modification</code> to detect unauthorized modifications to the agent configuration via the API.</li>
<li>Apply the suggested minimal patch by implementing a server-side check to reject modifications to <code>adapterConfig.workspaceStrategy.provisionCommand</code> when the request is authenticated using an Agent API key, as detailed in the &quot;Minimal Patch Suggestion&quot; section of the advisory.</li>
<li>Monitor process creation events for the execution of <code>/bin/sh -c</code> with command line arguments that originate from Paperclip agent configurations using the Sigma rule <code>Detect Paperclip Command Execution via Workspace Provisioning</code>.</li>
<li>Upgrade to Paperclip version 2026.416.0 or later to patch the vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>privilege-escalation</category><category>remote-code-execution</category><category>paperclip</category></item><item><title>Paperclip AI OS Command Injection via Execution Workspace cleanupCommand</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-paperclip-rce/</guid><description>A critical OS command injection vulnerability exists in Paperclip AI v2026.403.0 within the execution workspace lifecycle. By injecting arbitrary shell commands into the `cleanupCommand` field via the `PATCH /api/execution-workspaces/:id` endpoint, an attacker can execute these commands on the server when the workspace is archived.</description><content:encoded><![CDATA[<p>Paperclip AI v2026.403.0 is vulnerable to OS command injection. The vulnerability resides in the execution workspace lifecycle, specifically within the <code>workspace-runtime.ts</code> component. By sending a crafted <code>PATCH</code> request to the <code>/api/execution-workspaces/:id</code> endpoint, an attacker can inject arbitrary shell commands into the <code>cleanupCommand</code> field. When the affected workspace is archived the server executes the injected command via <code>child_process.spawn(shell, [&quot;-c&quot;, cleanupCommand])</code>. This vulnerability is exploitable in all deployment modes, including <code>local_trusted</code> (zero authentication) and <code>authenticated</code> (any company user). Successful exploitation allows for remote code execution with the privileges of the Paperclip server process on Linux, macOS, and Windows platforms. Proof of concept demonstrations include arbitrary file write, system information exfiltration, and GUI application launch.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a <code>GET</code> request to <code>/api/companies</code> to obtain a company ID.</li>
<li>The attacker sends a <code>GET</code> request to <code>/api/companies/{company_id}/execution-workspaces</code> to enumerate execution workspaces and retrieve a workspace ID.</li>
<li>If the workspace is not in an <code>active</code> state, the attacker sends a <code>PATCH</code> request to <code>/api/execution-workspaces/{workspace_id}</code> with the body <code>{&quot;status&quot;: &quot;active&quot;}</code> to reactivate it.</li>
<li>The attacker crafts a <code>PATCH</code> request to <code>/api/execution-workspaces/{workspace_id}</code> with a JSON body containing a malicious <code>cleanupCommand</code> within the <code>config</code> object, such as <code>{&quot;config&quot;: {&quot;cleanupCommand&quot;: &quot;echo RCE_PROOF &gt; \\&quot;/tmp/rce-proof.txt\\&quot;&quot;}}</code>.</li>
<li>The server stores the injected <code>cleanupCommand</code> in the workspace configuration.</li>
<li>The attacker triggers the command injection by sending a <code>PATCH</code> request to <code>/api/execution-workspaces/{workspace_id}</code> to archive the workspace, setting <code>&quot;status&quot;: &quot;archived&quot;</code>.</li>
<li>The server executes the injected command using <code>child_process.spawn(shell, [&quot;-c&quot;, cleanupCommand])</code>.</li>
<li>The attacker achieves remote code execution on the server, potentially leading to data exfiltration, lateral movement, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the Paperclip server with the privileges of the server process. This can lead to a range of severe impacts, including remote code execution, data exfiltration of sensitive information (e.g., system info, environment variables, source code), lateral movement within the network, and potential supply chain attacks by injecting backdoors into managed repositories. In <code>local_trusted</code> mode, this requires zero authentication, making it easily exploitable by malicious local processes or web pages.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply input validation to the <code>cleanupCommand</code> and <code>teardownCommand</code> fields in the PATCH handler to prevent the injection of malicious commands.</li>
<li>Implement command allowlisting, permitting only a predefined set of safe commands for workspace cleanup.</li>
<li>Replace <code>spawn(shell, [&quot;-c&quot;, command])</code> with <code>execFile()</code> using an argument array to mitigate shell metacharacter injection.</li>
<li>Implement proper authorization checks BEFORE processing the PATCH request to validate user permissions.</li>
<li>Deploy the Sigma rule <code>DetectPaperclipCleanupCommandInjection</code> to identify attempts to exploit this vulnerability via the PATCH request to <code>/api/execution-workspaces/:id</code>.</li>
<li>Run cleanup commands in a sandboxed environment to minimize the impact of potential exploits.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>paperclip</category><category>vulnerability</category></item></channel></rss>