Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSw33tlieH1:838196
HistoryApr 03, 2020 - 2:48 p.m.

U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI

2020-04-0314:48:45
sw33tlie
hackerone.com
1804

0.914 High

EPSS

Percentile

98.9%

JSON

Hello,
I found an outdated version of Telerik Web UI (v2016.2.607.40) at the following URL: https://███/Telerik.Web.UI.WebResource.axd?type=rau.
This means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and CVE-2019-18935, which is a deserialization vulnerability.

First of all, the only thing that I tried to prove that I had successfully achieved code execution was making the server sleep for 10 seconds.
No data was compromised.

Steps to reproduce

The steps that I followed are thoroughly described in this blog post: <https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui&gt;.
Here’s a quick summary:

  • Download the files in the attachments
  • Make sure you have pycryptodome installed (pip3 install pycryptodome)
  • Run the following command: python3 CVE-2019-18935.py -u https://█████/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607.40 -f 'C:\Windows\Temp' -p sleep_042020163752,45_amd64.dll
  • The sleep_042020160430,40_amd64.dll is supposed to Sleep(10). This will make the server hang for roughly ten seconds, and after that you will get a response like this one: [*] Response time: 12.88 seconds
  • The exploit worked.

Things to note

I had to edit the original exploit code provided in the aforementioned blog post (https://github.com/noperator/CVE-2019-18935) because I noticed that when uploading the .dll file the server added a .tmp at the end of the file name.
That’s why the original code was failing to exploit the deserialization part.
I added + '.tmp' at the end of line 95 and after that it worked just fine.

A DLL file can only work once. This means that to test the vulnerability again a new DLL has to be compiled.
For this reason I provided several DLLs in the attachments so you don’t have to compile them (especially because a windows machine with Visual Studio installed is required).

I didn’t upload a reverse shell because I thought it was not a great idea, but if needed I could do it.

How to fix

Just upgrade Telerik for ASP.NET AJAX to R3 2019 SP1 (v2019.3.1023) or later.

Impact

Full Remote Code Execution on the vulnerable server.

Related

metasploit 1
hackerone 2
packetstorm 1
zdt 2
cvelist 4
attackerkb 3
cve 4
thn 5
prion 4
nvd 4
nessus 4
impervablog 1
githubexploit 6
ics 6
checkpoint_advisories 2
veracode 2
exploitpack 2
cisa_kev 2
threatpost 6
exploitdb 2
rapid7blog 1
kitploit 1
qualysblog 2
oracle 1
metasploit
metasploit
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
2020-10-07 17:40:10
hackerone
hackerone
U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)
2021-04-25 09:38:03
U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935
2020-07-02 08:13:07
packetstorm
packetstorm
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
2020-10-20 00:00:00
zdt
zdt
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization Exploit
2020-10-21 00:00:00
Telerik UI - Remote Code Execution via Insecure Deserialization Exploit
2019-12-18 00:00:00
cvelist
cvelist
CVE-2019-18935
2019-12-11 00:00:00
CVE-2017-11317
2017-08-23 17:00:00
CVE-2021-29281
2022-07-07 19:38:54
attackerkb
attackerkb
CVE-2019-18935
2019-12-11 00:00:00
CVE-2017-11317
2017-08-23 00:00:00
CVE-2021-44029
2021-12-22 00:00:00
cve
cve
CVE-2019-18935
2019-12-11 13:15:11
CVE-2017-11317
2017-08-23 17:29:00
CVE-2021-29281
2022-07-07 21:15:09
thn
thn
Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency
2023-03-16 06:34:00
New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits
2021-08-02 11:11:00
Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin
2023-06-01 14:55:00
prion
prion
Deserialization of untrusted data
2019-12-11 13:15:00
Code injection
2017-08-23 17:29:00
Deserialization of untrusted data
2021-12-22 06:15:00
nvd
nvd
CVE-2019-18935
2019-12-11 13:15:11
CVE-2017-11317
2017-08-23 17:29:00
CVE-2021-29281
2022-07-07 21:15:09
nessus
nessus
Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability
2020-04-24 00:00:00
Telerik UI for ASP.NET AJAX RadAsyncUpload Multiple Vulnerabilities
2020-07-01 00:00:00
Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability
2020-07-01 00:00:00
impervablog
impervablog
Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF
2020-07-06 15:01:00
githubexploit
githubexploit
Exploit for Inadequate Encryption Strength in Telerik Ui For Asp.Net Ajax
2018-01-09 13:53:57
Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax
2020-05-29 07:29:52
Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax
2020-08-26 20:57:11
ics
ics
Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers
2023-06-15 12:00:00
Hitachi ABB Power Grids eSOMS Telerik
2021-03-18 12:00:00
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
2023-10-05 12:00:00
checkpoint_advisories
checkpoint_advisories
Progress Telerik UI Remote Code Execution (CVE-2019-18935)
2020-03-09 00:00:00
Telerik UI Arbitrary File Upload (CVE-2017-11317; CVE-2017-11357)
2020-07-13 00:00:00
veracode
veracode
Unrestricted File Upload
2020-06-25 08:38:28
Remote Code Execution
2020-06-25 09:22:09
exploitpack
exploitpack
Telerik UI - Remote Code Execution via Insecure Deserialization
2019-12-18 00:00:00
Telerik UI for ASP.NET AJAX 2012.3.1308 2017.1.118 - Arbitrary File Upload
2018-01-24 00:00:00
cisa_kev
cisa_kev
Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability
2021-11-03 00:00:00
Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
2022-04-11 00:00:00
threatpost
threatpost
LoudMiner Cryptominer Uses Linux Image and Virtual Machines
2019-06-20 19:53:23
Blue Mockingbird Monero-Mining Campaign Exploits Web Apps
2020-05-07 21:01:37
BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover
2019-06-05 14:14:47
exploitdb
exploitdb
Telerik UI - Remote Code Execution via Insecure Deserialization
2019-12-18 00:00:00
Telerik UI for ASP.NET AJAX 2012.3.1308 &lt; 2017.1.118 - Arbitrary File Upload
2018-01-24 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up
2020-10-23 18:56:55
kitploit
kitploit
Heyserial - Programmatically Create Hunting Rules For Deserialization Exploitation With Multiple Keywords, Gadget Chains, Object Types, Encodings, And Rule Types
2022-05-12 21:30:00
qualysblog
qualysblog
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
2020-10-22 23:10:29
CISA Alert: Top Routinely Exploited Vulnerabilities
2021-07-29 00:20:27
oracle
oracle
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

0.914 High

EPSS

Percentile

98.9%

JSON
Related for H1:838196
metasploit1hackerone2packetstorm1zdt2cvelist4attackerkb3cve4thn5prion4nvd4nessus4impervablog1githubexploit6ics6checkpoint_advisories2veracode2exploitpack2cisa_kev2threatpost6exploitdb2rapid7blog1kitploit1qualysblog2oracle1