Skipping Authentication: Telerik Report Server’s New Feature?

The ‎Progress‏ ‎Telerik ‎Report ‎Server ‎pre-authenticated ‎Remote‏ ‎Code ‎Execution‏ ‎(RCE)‏ ‎chain, ‎identified ‎as‏ ‎CVE-2024-4358 and ‎CVE-2024-1800, involves‏ ‎a ‎critical ‎vulnerability ‎that‏ ‎allows‏ ‎unauthenticated ‎attackers‏ ‎to ‎execute‏ ‎arbitrary ‎code ‎on ‎affected ‎servers.

Attack‏ ‎Flow

📌Initial‏ ‎Access: The ‎attacker‏ ‎identifies ‎a‏ ‎vulnerable ‎Telerik ‎Report ‎Server ‎instance.

📌Exploitation‏ ‎of‏ ‎CVE-2024-4358: The‏ ‎attacker ‎sends‏ ‎a ‎crafted‏ ‎request ‎to‏ ‎the‏ ‎/Startup/Register ‎endpoint‏ ‎to ‎create ‎a ‎new ‎administrator‏ ‎account.

📌Privilege ‎Escalation:‏ ‎The‏ ‎attacker ‎logs ‎in‏ ‎using ‎the‏ ‎newly ‎created ‎administrator ‎account.

📌Exploitation‏ ‎of‏ ‎CVE-2024-1800: The ‎attacker‏ ‎creates ‎a‏ ‎malicious ‎report ‎that ‎exploits ‎the‏ ‎deserialization‏ ‎vulnerability ‎to‏ ‎execute ‎arbitrary‏ ‎code.

📌Command ‎Execution: ‎The ‎attacker ‎executes‏ ‎arbitrary‏ ‎commands‏ ‎on ‎the‏ ‎server, ‎achieving‏ ‎remote ‎code‏ ‎execution.

Attack‏ ‎Scenario

Target ‎Identification:

📌The‏ ‎attacker ‎identifies ‎a ‎vulnerable ‎instance‏ ‎of ‎the‏ ‎Telerik‏ ‎Report ‎Server, ‎typically‏ ‎by ‎scanning‏ ‎for ‎publicly ‎exposed ‎instances‏ ‎using‏ ‎tools ‎like‏ ‎Shodan.

Authentication ‎Bypass‏ ‎(CVE-2024-4358):

📌The ‎attacker ‎exploits ‎an ‎authentication‏ ‎bypass‏ ‎vulnerability ‎in‏ ‎the ‎Telerik‏ ‎Report ‎Server’s ‎setup ‎wizard. ‎This‏ ‎vulnerability‏ ‎allows‏ ‎the ‎attacker‏ ‎to ‎create‏ ‎a ‎new‏ ‎administrator‏ ‎account ‎without‏ ‎any ‎prior ‎authentication.

📌The ‎specific ‎endpoint‏ ‎exploited ‎is‏ ‎Telerik.ReportServer.Web.dll!‏ ‎Telerik.ReportServer.Web.Controllers.StartupController.Register, ‎which ‎does‏ ‎not ‎verify‏ ‎if ‎the ‎setup ‎process‏ ‎has‏ ‎already ‎been‏ ‎completed.

📌The ‎attacker‏ ‎sends ‎a ‎crafted ‎HTTP ‎request‏ ‎to‏ ‎the ‎/Startup/Register‏ ‎endpoint ‎to‏ ‎create ‎a ‎new ‎administrator ‎account:

curl‏ ‎'http://TARGET_HERE/Startup/Register'‏ ‎-d‏ ‎'Username=USERNAME_HERE& ‎Password=PASSWORD_HERE&‏ ‎ConfirmPassword=PASSWORD_HERE& ‎Email=backdoor%http://40admin.com&‏ ‎FirstName=backdoor& ‎LastName=user'

Account‏ ‎Creation‏ ‎and ‎Authentication:

📌Upon‏ ‎successful ‎exploitation, ‎the ‎attacker ‎gains‏ ‎high-privileged ‎access‏ ‎to‏ ‎the ‎Telerik ‎Report‏ ‎Server ‎by‏ ‎using ‎the ‎newly ‎created‏ ‎administrator‏ ‎account.

📌The ‎attacker‏ ‎logs ‎in‏ ‎using ‎the ‎credentials ‎of ‎the‏ ‎backdoor‏ ‎account ‎created‏ ‎in ‎the‏ ‎previous ‎step.

Deserialization ‎Exploit ‎(CVE-2024-1800):

📌With ‎administrative‏ ‎access,‏ ‎the‏ ‎attacker ‎leverages‏ ‎a ‎deserialization‏ ‎vulnerability ‎in‏ ‎the‏ ‎Telerik ‎Report‏ ‎Server ‎to ‎execute ‎arbitrary ‎code‏ ‎on ‎the‏ ‎server.

📌The‏ ‎attacker ‎creates ‎a‏ ‎malicious ‎report‏ ‎that ‎triggers ‎the ‎deserialization‏ ‎flaw,‏ ‎allowing ‎them‏ ‎to ‎run‏ ‎arbitrary ‎commands ‎on ‎the ‎server.

📌The‏ ‎PoC‏ ‎script ‎automates‏ ‎this ‎process,‏ ‎including ‎generating ‎random ‎usernames ‎and‏ ‎passwords‏ ‎for‏ ‎the ‎backdoor‏ ‎account ‎and‏ ‎creating ‎a‏ ‎malicious‏ ‎report:

python ‎http://CVE-2024-4358.py --target‏ ‎http://192.168.253.128:83 -c ‎«whoami»