Telerik UI for ASP.NET AJAX RadAsyncUpload Multiple Vulnerabilities

2018-03-0200:00:00

www.tenable.com

576

The version of Telerik UI for ASP.NET AJAX installed on the remote Windows host is affected by multiple vulnerabilities in Telerik.Web.UI.dll. An unauthenticated, remote attacker can exploit this, via specially crafted data, to execute arbitrary code.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(107096);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2017-11317", "CVE-2017-11357");
  script_bugtraq_id(103171, 103173);
  script_xref(name:"IAVA", value:"2018-A-0066-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/02");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/02/16");

  script_name(english:"Telerik UI for ASP.NET AJAX RadAsyncUpload Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"A web application development suite installed on the remote Windows
host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Telerik UI for ASP.NET AJAX installed on the remote
Windows host is affected by multiple vulnerabilities in
Telerik.Web.UI.dll. An unauthenticated, remote attacker can exploit
this, via specially crafted data, to execute arbitrary code.");
  # https://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77b0e65f");
  # https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?49cbdec3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Telerik UI for ASP.NET AJAX version R2 2017 SP2
(2017.2.711) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-11357");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/08/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:telerik:ui_for_asp.net_ajax");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("telerik_ui_for_aspnet_ajax_installed.nbin");
  script_require_keys("installed_sw/Telerik UI for ASP.NET AJAX");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");

function display_dword (dword, nox)
{
  local_var tmp;
  if (isnull(nox) || (nox == FALSE))
    tmp = "0x";
  else
    tmp = "";
  return "" + tmp + toupper(hexstr(raw_string(
    (dword >>> 24) & 0xFF,
    (dword >>> 16) & 0xFF,
    (dword >>> 8) & 0xFF,
    dword & 0xFF
  )));
}

app_name = "Telerik UI for ASP.NET AJAX";
has_a_patch = FALSE;
install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);

version = install['version'];
path = install['path'];
web_ui_dll = install['web_ui_dll'];

# 2017.2.711 and later is patched
if (ver_compare(ver:version, fix:"2017.2.711.0", strict:FALSE) >= 0)
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);

# 2011.1.315 to 2017.2.621 have patches + mitigations available
if ((ver_compare(ver:version, fix:"2011.1.315.0", strict:FALSE) >= 0) &&
    (ver_compare(ver:version, fix:"2017.2.621.9999", strict:FALSE) <= 0))

{
  # check for "Telerik.Web.UI.Patch" in the File Description

  # Connect to the appropriate share.
  port = kb_smb_transport();
  login = kb_smb_login();
  pass = kb_smb_password();
  domain = kb_smb_domain();

  if (!smb_session_init())
    audit(AUDIT_FN_FAIL, "smb_session_init");

  share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:web_ui_dll);
  dll = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:web_ui_dll);

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
  {
    NetUseDel();
    audit(AUDIT_SHARE_FAIL, share);
  }

  fh = CreateFile(
    file:dll,
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );

  file_description = NULL;
  if (!isnull(fh))
  {
    ret = GetFileVersionEx(handle:fh);
    if (!isnull(ret)) children = ret['Children'];
    if (!isnull(children))
    {
      varfileinfo = children['VarFileInfo'];
      if (!isnull(varfileinfo))
      {
        translation =
          (get_word (blob:varfileinfo['Translation'], pos:0) << 16) +
          get_word (blob:varfileinfo['Translation'], pos:2);
        translation = tolower(display_dword(dword:translation, nox:TRUE));
      }
      stringfileinfo = children['StringFileInfo'];
      if (!isnull(stringfileinfo) && !isnull(translation))
      {
        data = stringfileinfo[translation];
        if (!isnull(data)) file_description = data['FileDescription'];
        else
        {
          data = stringfileinfo[toupper(translation)];
          if (!isnull(data)) file_description = data['FileDescription'];
        }
      }
    }
    CloseFile(handle:fh);
  }
  NetUseDel();

  if (empty_or_null(file_description))
    exit(1, "Failed to get the file description of " + web_ui_dll + ".");

  if (file_description == "Telerik.Web.UI.Patch")
    has_a_patch = TRUE;
}

if (has_a_patch)
{
  # if it has *a* patch, we can't be sure that it is the correct patch
  # and we also can't tell if they have applied the mitigations to go
  # with the patch, so if we're paranoid, we add a note to the report
  # (done below) and if we're not paranoid, we audit out
  if (report_paranoia < 2) audit(AUDIT_PARANOID);
}

port = get_kb_item("SMB/transport");
if (empty_or_null(port))
  port = 445;

report = report_items_str(
  report_items:make_array(
    "Path", path,
    "Installed version", version,
    "Fixed version", "2017.2.711.0 or vendor supplied patch"
  ),
  ordered_fields:make_list("Path", "Installed version", "Fixed version")
);

if (has_a_patch)
  report += '\n\n' + "Although a patch has been applied, we aren't able to determine if this is the" +
            '\n' + "correct patch for these vulnerabilities. As per the vendor advisory, you must" +
            '\n' + "ensure that the patch you applied was downloaded after August 15th, 2017. You" +
            '\n' + "must also ensure the appropriate mitigations (disable file uploads or disable" +
            '\n' + "POST requests) have been applied as per the vendor advisory";

security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);

VendorProductVersionCPE
telerikui_for_asp.net_ajaxcpe:/a:telerik:ui_for_asp.net_ajax

Vendor	Product	Version	CPE
telerik	ui_for_asp.net_ajax		cpe:/a:telerik:ui_for_asp.net_ajax

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11317

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11357

www.nessus.org/u?49cbdec3

www.nessus.org/u?77b0e65f

JSON

Related for TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-11317.NASL