About Teletype
Join
Overkill Security
@overkill_security
News
July 26, 2024

Skipping Authentication: Telerik Report Server’s New Feature?

The Progress Telerik Report Server pre-authenticated Remote Code Execution (RCE) chain, identified as CVE-2024-4358 and CVE-2024-1800, involves a critical vulnerability that allows unauthenticated attackers to execute arbitrary code on affected servers.

Attack Flow

📌Initial Access: The attacker identifies a vulnerable Telerik Report Server instance.

📌Exploitation of CVE-2024-4358: The attacker sends a crafted request to the /Startup/Register endpoint to create a new administrator account.

📌Privilege Escalation: The attacker logs in using the newly created administrator account.

📌Exploitation of CVE-2024-1800: The attacker creates a malicious report that exploits the deserialization vulnerability to execute arbitrary code.

📌Command Execution: The attacker executes arbitrary commands on the server, achieving remote code execution.

Attack Scenario

Target Identification:

📌The attacker identifies a vulnerable instance of the Telerik Report Server, typically by scanning for publicly exposed instances using tools like Shodan.

Authentication Bypass (CVE-2024-4358):

📌The attacker exploits an authentication bypass vulnerability in the Telerik Report Server’s setup wizard. This vulnerability allows the attacker to create a new administrator account without any prior authentication.

📌The specific endpoint exploited is Telerik.ReportServer.Web.dll! Telerik.ReportServer.Web.Controllers.StartupController.Register, which does not verify if the setup process has already been completed.

📌The attacker sends a crafted HTTP request to the /Startup/Register endpoint to create a new administrator account:

curl 'http://TARGET_HERE/Startup/Register' -d 'Username=USERNAME_HERE& Password=PASSWORD_HERE& ConfirmPassword=PASSWORD_HERE& Email=backdoor%http://40admin.com& FirstName=backdoor& LastName=user'

Account Creation and Authentication:

📌Upon successful exploitation, the attacker gains high-privileged access to the Telerik Report Server by using the newly created administrator account.

📌The attacker logs in using the credentials of the backdoor account created in the previous step.

Deserialization Exploit (CVE-2024-1800):

📌With administrative access, the attacker leverages a deserialization vulnerability in the Telerik Report Server to execute arbitrary code on the server.

📌The attacker creates a malicious report that triggers the deserialization flaw, allowing them to run arbitrary commands on the server.

📌The PoC script automates this process, including generating random usernames and passwords for the backdoor account and creating a malicious report:

python http://CVE-2024-4358.py --target http://192.168.253.128:83 -c «whoami»

Follow on TG & Boosty

Overkill Security
July 26, 2024, 17:54
0 reactions
0 views