Researchers have printed a proof-of-concept (PoC) exploit script demonstrating a chained distant code execution (RCE) vulnerability on Progress Telerik Report Servers.
The Telerik Report Server is an API-powered end-to-end encrypted report administration resolution organizations use to streamline the creation, sharing, storage, distribution, and scheduling of studies.
Cybersecurity researcher Sina Kheirkha developed the exploit with the assistance of Soroush Dalili and has now printed a detailed write-up that describes the intricate means of exploiting two flaws, an authentication bypass and a deserialization situation, to execute code on the goal.
Creating rogue admin accounts
The authentication bypass flaw is tracked as CVE-2024-4358 (CVSS rating: 9.8), permitting the creation of admin accounts with out checks.
Kheirkhah says he labored in direction of discovering the vulnerability following a bug disclosure by the software program vendor on April 25 for a deserialization situation that required a “low privilege” consumer to use.
The researcher expanded on the flaw by discovering that the ‘Register’ technique within the ‘StartupController’ was accessible with out authentication, permitting the creation of an admin account even after the preliminary setup was full.
This situation was addressed through an replace (Telerik Report Server 2024 Q2 10.1.24.514) on Might 15, whereas the seller printed a bulletin with the ZDI crew on Might 31.
The second flaw required for reaching RCE is CVE-2024-1800 (CVSS rating: 8.8), a deserialization situation that permits distant authenticated attackers to execute arbitrary code on weak servers.
That situation was found earlier and reported to the seller by an nameless researcher, whereas Progress launched a safety replace for it on March 7, 2024, by Telerik® Report Server 2024 Q1 10.0.24.305.
An attacker can ship a specifically crafted XML payload with a ‘ResourceDictionary’ ingredient to Telerik Report Server’s customized deserializer, which makes use of a posh mechanism to resolve XML parts into .NET sorts.
The particular ingredient within the payload then makes use of the ‘ObjectDataProvider’ class to execute arbitrary instructions on the server, reminiscent of launching ‘cmd.exe.’
Though exploiting the deserialization bug is complicated, Kheirkhah’s write-up and exploit Python script are publicly out there, making the case fairly simple for aspiring attackers.
That being mentioned, organizations should apply the out there updates as quickly as potential, aka improve to model 10.1.24.514 or later, which addresses each flaws.
The seller has additionally suggested that despite the fact that there are not any studies of lively exploitation of CVE-2024-4358, system directors ought to assessment their Report Server’s customers record for any new Native customers they do not acknowledge, added at ‘{host}/Customers/Index.’
Crucial flaws in Progress Software program aren’t sometimes ignored by high-level cybercriminals, as a lot of organizations worldwide use the seller’s merchandise.
Essentially the most attribute case is an intensive sequence of knowledge theft assaults that exploited a zero-day vulnerability within the Progress MOVEit Switch platform by the Clop ransomware gang in March 2023.
That information theft marketing campaign ended up being some of the large-scale and impactful extortion operations in historical past, claiming over 2,770 victims and not directly affecting practically 96 million folks.