Popular web application UI suite is subject to a deserialization security flaw – but attackers must already possess encryption keys

Telerik UI for ASP.NET AJAX contained a severe security vulnerability that if exploited exposed users to remote code execution (RCE) attacks.

The UI component toolkit is designed for ASP.NET AJAX web, mobile, and desktop applications.

A serious bug in version 2019.3.1023 of the software, tracked as CVE-2019-18935, was recently reported by Markus Wulftange of Code White, in which a .NET deserialization issue in the RadAsyncUpload function could be exploited for malicious purposes.

Caleb Gross, lead for the Bishop Fox Continuous Attack Surface Testing (CAST) Managed Security Service said in an advisory posted December 12 that the vulnerability was caused by a failure to properly deserialize JSON objects.

The Telerik UI file handler, RadAsyncUpload, has been subject to vulnerabilities in the past including CVE-2017-11317 – a weakness in the function’s encryption standards that permitted both the execution of arbitrary code and file uploads.

CVE-2014-2217, a path traversal bug exploitable for the upload of malicious files, also had an impact on the file handler previously.

When linked together in an attack chain, the security researcher says CVE-2017-11317 and CVE-2019-18935 can be used to execute arbitrary code remotely.

Check out the latest RCE vulnerability news from The Daily Swig

While CVE-2014-2217 is not strictly part of the attack chain, in order to resolve the security issue, Telerik encrypted part of file upload requests – the rauPostData POST parameter – which Gross says contains “a serialized object that holds configuration details about how the file should be handled”.

CVE-2017-11317 then appeared as this encryption was generated with a hard-coded key and attackers could tamper with the protective measure by changing default values.

Breaking this encryption is a prerequisite to triggering CVE-2019-18935 – Paul Taylor has developed exploit code for the deserialization vulnerability.

Telerik UI for ASP.NET AJAX versions susceptible to exploit must have the file handler registered, and a simple mixed mode DLL can then be loaded to cause the software to sleep and ascertain its vulnerable status.

A malicious Python script based on Taylor’s work can subequently be used to craft an encrypted rauPostData POST parameter to exploit the security flaw.

This would provide access to the software’s file upload mechanisms and object deserialization, while making sure each upload is given a unique name to prevent upload failures.

It is also possible to trigger the vulnerability through a DLL, which spawns a reverse shell to connect back to an attacker-controlled server.

Telerik has released a security advisory detailing the patch process and recommended security settings. Users should upgrade to Telerik for ASP.NET AJAX R3 2019 SP1 (v2019.3.1023) or later.

“In recent years, insecure deserialization has emerged as an effective attack vector for executing arbitrary code in object-oriented programming frameworks,” Gross said.

“It’s important that vendors and users employ timely communication to combat the risk posed by vulnerable software.”

YOU MIGHT ALSO LIKE Safer-Eval branded ‘harmful’ with no patch planned