-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for Telerik UI ASP.NET AJAX RadAsyncUpload (RAU) Deserialization #14229
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just a few things.
documentation/modules/exploit/windows/http/telerik_rau_deserialization.md
Show resolved
Hide resolved
TestingNote that Deployed in IIS
Deployed in Visual StudioA pivot was necessary to reach the ASP.NET Development Server.
🚀 |
Release NotesNew module |
This adds an exploit for Telerik UI ASP.NET AJAX RadAsyncUpload (RAU) Deserialization which will upload and execute a payload file. For this exploit to work, it is necessary for the attacker to know the crypto keys and the target version. The default values of the crypto keys were disclosed in CVE-2017-11317 which this module checks for and reports. The target version can be enumerated if the crypto keys are correctly set, that is to say they are either the default values from CVE-2017-11317 or the attacker knows them through some means. With the ability to upload a file, an attacker can have it loaded by leveraging a JSON .NET deserialization flaw. Starting in version 2019.3.1023 the serialization types can be allow-listed through an opt-in feature, while starting in version 2020.1.114 the allow-list feature is enabled by default. In either case, the allow-list can be explicitly configured with the setting necessary for exploitation by this module for testing purposes. See the "Configuring Telerik UI ASP.NET AJAX" section of the module docs for more information.
Mixed Mode Assembly
To exploit the deserialization flaw, it's necessary to upload a DLL that can then be loaded. This DLL must be a Mixed Mode Assembly. I opted to create new templates for this located at
data/templates/template_x##_windows_mixed_mode.dll
. These new templates use the existing source code of the standard DLL template, and are compiled using Visual Studio 2019 Pro with the included batch script. This makes Mixed Mode Assembly DLLs that can be used for this exploit that are also compatible with Metasploit's existing DLL generation routine. There's a README file in the new source code directory with some additional information.Verification
I tested this with Telerik UI ASP.NET AJAX version 2020.3.915 (the latest).
Testing Installation Steps
web.config
file to configure it to be vulnerable, these details are in the "Configuring Telerik UI ASP.NET AJAX" section of the module docsapplicationhost.config
file to expose the HTTP server on a hostname so Metasploit can reach it from a different machinesites > site > bindings > binding
, change "bindingInformation" from:####:localhost
to:8080:HOSTNAME
where HOSTNAME is the hostname of your machine (don't forget to set theVHOST
option in Metasploit)TelerikUI_for_AspNetAjax_Demos_VS2017.sln
project file located inC:\Program Files (x86)\Progress\Telerik UI for ASP.NET AJAX R3 2020\Live Demos
use exploit/windows/http/telerik_rau_deserialization
RHOSTS
andPAYLOAD
optionsVHOST
,RPORT
andSSL
options as appropriateVERSION
option if it is knownExample Output