One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 1019951 |
| Date de publication | 2019-02-07 11:04:37 (vue: 2019-02-09 15:00:27) |
| Titre | Telerik Revisited |
| Texte | In 2017, several vulnerabilities were discovered in Telerik UI, a popular UI component library for .NET web applications. Although details and working exploits are public, it often proves to be a good idea to take a closer look at it. Because sometimes it allows you to explore new avenues of exploitation. Introduction Telerik UI for ASP.NET is a popular UI component library for ASP.NET web applications. In 2017, several vulnerabilities were discovered, potentially resulting in remote code execution: CVE-2017-9248: Cryptographic Weakness A cryptographic weakness allows the disclosure of the encryption key (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey) used to protect the DialogParameters via an oracle attack. It can be exploited to forge a functional file manager dialog and upload arbitrary files and/or compromise the ASP.NET ViewState in case of the latter. CVE-2017-11317: Hard-coded default key A hard-coded default key is used to encrypt/decrypt the AsyncUploadConfiguration, which holds the path where uploaded files are stored temporarily. It can be exploited to upload files to arbitrary locations. CVE-2017-11357: Insecure Direct Object Reference The name of the file stored in the location specified in AsyncUploadConfiguration is taken from the request and thus allows the upload of files with arbitrary extension. The vulnerabilities were fixed in R2 2017 SP1 (2017.2.621) and R2 2017 SP2 (2017.2.711), respectively. As for CVE-2017-9248, there is an analysis by PatchAdvisor[1] that gives some insights and exploitation hints. And regarding CVE-2017-11317, the detailed writeup by @straight_blast seems to have been published even half a year before Telerik published an updated version. It describes in detail how the vulnerability was discovered and how it can be exploited to upload an arbitrary file to an arbitrary location. If you're unfamiliar with these vulnerabilities, you may want to read the linked advisories first to get a better understanding. The Catch Although the vulnerabilities sound promising, they all have their catch: exploiting CVE-2017-9248 requires many thousands of requests, which can be pretty noticeable and suspicious. And unless it is actually possible to leak the MachineKey (which would allow an exploitation via deserialization of arbitrary ObjectStateFormatter stream), a file upload to an arbitrary location (i. e., CVE-2017-11317) is still limited to the knowledge of an appropriate location with sufficient write permissions. The problem here is that by default the account that the IIS worker process w3wp.exe runs with is a special account like IIS AppPool\DefaultAppPool. And such an account usually does not have write permissions to the web document root directory like C:\inetpub\wwwroot or similar. Additionally, the web document root of the web application can also be somewhere else and may not be known. So simply writing an ASP.NET web shell probably won't work in many cases. The Dead End This was exactly the case when we faced Managed Workplace RMM by Avast Business in a red team assessment where we didn't want to make too much noise. Additionally, unauthenticated access to all *.aspx pages except for Login.aspx was denied, i. e., the handler Telerik.Web.UI.DialogHandler.aspx for explo |
| Envoyé | Oui |
| Condensat | e 11317 11317: 11357: 13th 2017 621 711 9248 9248: @straight able above access account actually additionally addressed advertised advisories after all allow allowed allows also although alvaro always analysis and/or anyone apparent application applications apppool appropriate arbitrary are asp aspect aspx assembly assemblyinstaller assessment asyncuploadconfiguration asyncuploadhandler attack attacker attacks authentication avast avenue avenues axd became because been before being better blast blog business but call called can case cases catch catch: closer code coded component compromise conclusion configuration consist contains context cryptographic cve data dead default defaultapppool deleted denied described describes deserialization deserialize detail detailed details dialog dialoghandler dialogparameters dialogparametersencryptionkey did didn direct directory disclosure discovered dll dllmain document does during else else: encrypt/decrypt encryption end ends entry enumerating even exactly example excellent except exe execution execution: expected exploit exploitation exploited exploiting exploits explore extension faced file files finally first fixed forge forgets friday from function functional gadget get gets gives good had half handler hard harmful has have here hints holds how idea iis inetpub insecure insights install installation internet introduction issue its javascriptserializer json key know knowledge known latter leak left library like limited line linked load loading location locations login look machinekey make managed manager many may means mentioned methods mirosh mixed mode mr2 much muñoz name net never new noise not noticeable object objectstateformatter obvious often old oleksandr one only option oracle original other out pages parameterized part parts patchadvisor path permissions point popular possible post potentially pretty probably problem process processes promising protect proves provided public published qualified raupostdata reachable read red reference regarding registered regular remote request requests requirement requires research respectively result resulting revisited revisiting rmm root root: runs second seemed seems separated serializationservice setter several shell should showed similar simply since some sometimes somewhere sound sp1 sp2 sp4 special specified specifying spellcheckhandler stored stream string structure succeed successful such sufficient suitable supposed suspicious system take taken taking team telerik temp temporarily then thereby these thousands through thus too tracing trigger two type unauthenticated understanding unfamiliar unless updated upload uploaded used using usually version versions viewstate vulnerabilities vulnerability w3wp want ways weakness web when where which windows without won work worker working workplace worthwhile would writable write writeup writing wwwroot year you |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.