Until R2 2017 SP1 (v2017.2.621), RadAsyncUpload's AsyncUploadHandler was configured with a hard-coded key that was used to encrypt form data in file upload requests. Unrestricted File Upload via Weak Encryption In summary, in order to exploit insecure deserialization (CVE-2019-18935) in this file handler, we must first break the encryption that the handler uses to protect file upload POST requests (CVE-2017-11317). This issue (CVE-2019-18935) is the main subject of this post. Modify the type of the object in rauPostData, allowing them to control the object's behavior while it's being deserialized.This issue (CVE-2017-11317) is a well-known vulnerability and has already been reported on. Modify the configuration to allow file uploading anywhere they like on the target web server.If attackers were able to break the encryption protecting the configuration object in rauPostData, they could: Specifically, Telerik encrypted the rauPostData POST parameter, which contains a serialized object that holds configuration details about how the file should be handled (e.g., the destination directory on the web server where the file should be uploaded). (Don't confuse it with CVE-2017-11317, which also yields unrestricted file upload, but through a different vector…more on that shortly.)ĬVE-2014-2217 is outside of the scope of this post, but it's important that we mention it here, since Telerik responded to this issue by encrypting a particular portion of file upload requests to prevent attackers from tampering with sensitive settings. RadAsyncUpload has previously been the subject of a number of vulnerabilities, including CVE-2014-2217, which is a path traversal vulnerability in the handler's file upload POST requests that results in unrestricted file upload. Overview of Vulnerabilities in RadAsyncUpload
#Kendo ui file upload example Patch
After covering the context of those two CVEs, we’ll dive deeper into the insecure deserialization vulnerability to learn if it affects your system, how the exploit works, and how you can patch systems against this vulnerability.
The following sections will walk through two vulnerabilities in RadAsyncUpload, which is a file handler in Telerik UI for ASP.NET AJAX that enables uploading files asynchronously (i.e., without reloading the existing page).
#Kendo ui file upload example code
CVE-2019-18935 - Remote Code Execution via Insecure Deserialization.CVE-2017-11317 - Unrestricted File Upload via Weak Encryption.UPDATE: Caleb presented on this topic at 2020 DerpCon, which you can watch below. Thanks also to Paul Taylor who, after authoring an exploit to break encryption for an unrestricted file upload vulnerability, developed an extended custom payload feature that was instrumental in triggering this deserialization vulnerability. Thanks to Markus Wulftange ( of Code White GmbH for initially discovering this insecure deserialization vulnerability and for summarizing his research. Patching instructions are included at the end of this post. Since Telerik has just responded to this issue by releasing a security advisory for CVE-2019-18935, we're sharing our knowledge about it here in an effort to raise awareness about the severity of this vulnerability, and to encourage affected users to patch and securely configure this software. The Managed Security Services (MSS) team at Bishop Fox has identified and exploited internet-facing instances of Telerik UI affected by this vulnerability for our clients. It insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software's underlying host. Telerik UI for ASP.NET AJAX is a widely used suite of UI components for web applications. All code references in this post are also available in the CVE-2019-18935 GitHub repo.
0 kommentar(er)
