EN
Overkill Security
Overkill Security
113 subscribers
Jul 26 07:00

Skipping Authentication: Telerik Report Server's New Feature?

The Progress Telerik Report Server pre-authenticated Remote Code Execution (RCE) chain, identified as CVE-2024-4358 and CVE-2024-1800, involves a critical vulnerability that allows unauthenticated attackers to execute arbitrary code on affected servers.
Attack Flow
📌Initial Access: The attacker identifies a vulnerable Telerik Report Server instance.
📌Exploitation of CVE-2024-4358: The attacker sends a crafted request to the /Startup/Register endpoint to create a new administrator account.
📌Privilege Escalation: The attacker logs in using the newly created administrator account.
📌Exploitation of CVE-2024-1800: The attacker creates a malicious report that exploits the deserialization vulnerability to execute arbitrary code.
📌Command Execution: The attacker executes arbitrary commands on the server, achieving remote code execution.
Attack Scenario
Target Identification:
📌The attacker identifies a vulnerable instance of the Telerik Report Server, typically by scanning for publicly exposed instances using tools like Shodan.
Authentication Bypass (CVE-2024-4358):
📌The attacker exploits an authentication bypass vulnerability in the Telerik Report Server's setup wizard. This vulnerability allows the attacker to create a new administrator account without any prior authentication.
📌The specific endpoint exploited is Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.StartupController.Register, which does not verify if the setup process has already been completed.
📌The attacker sends a crafted HTTP request to the /Startup/Register endpoint to create a new administrator account:
curl 'http://TARGET_HERE/Startup/Register' -d 'Username=USERNAME_HERE&Password=PASSWORD_HERE&ConfirmPassword=PASSWORD_HERE&Email=backdoor%40admin.com&FirstName=backdoor&LastName=user'
Account Creation and Authentication:
📌Upon successful exploitation, the attacker gains high-privileged access to the Telerik Report Server by using the newly created administrator account.
📌The attacker logs in using the credentials of the backdoor account created in the previous step.
Deserialization Exploit (CVE-2024-1800):
📌With administrative access, the attacker leverages a deserialization vulnerability in the Telerik Report Server to execute arbitrary code on the server.
📌The attacker creates a malicious report that triggers the deserialization flaw, allowing them to run arbitrary commands on the server.
📌The PoC script automates this process, including generating random usernames and passwords for the backdoor account and creating a malicious report:
python CVE-2024-4358.py --target http://192.168.253.128:83 -c "whoami"
news
telerik
vulnerability
overkillsecurity
Creator has disabled comments for this post.
Go to all posts

Subscription levels

Regular Reader

$ 17,3$ 8,7 per month
50%
Ideal for casual regular who are interested in staying informed about the latest trends and updates in the cybersecurity world
avatar
50% discount for a limited time until the end of this month.

Pro Reader

$ 35 per month
Designed for IT professionals, cybersecurity experts, and enthusiasts who seek deeper insights and more comprehensive resources. + Q&A
Go up