Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-18935 PoC — Progress Telerik UI for ASP.NET AJAX 代码问题漏洞

Source
https://github.com/appliedi/Telerik_CVE-2019-18935
Associated Vulnerability
Title:Progress Telerik UI for ASP.NET AJAX 代码问题漏洞 (CVE-2019-18935)
Description:Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Description
TelerikUI Vulnerability Scanner (CVE-2019-18935)
Readme
# TelerikUI Python Scanner
(telerik_rce_scan.py)
<img align="center" src="https://github.com/becrevex/Telerik_CVE-2019-18935/blob/master/pyimp.JPG"/> 

# Examples
<b>Assess an IP for CVE-2019-18935</b><br>
$ python3 telerik_rce_scan.py -t 192.168.44.21

<b>Assess a hostname for CVE-2019-18935</b><br>
$ python3 telerik_rce_scan.py -t vulnerable.telerik.net

<b>Assess a CIDR network range for CVE-2019-18935</b><br>
$ python3 telerik_rce_scan.py -r 23.253.4.0/24

<b>Assess a list of targerts</b><br>
$ python3 telerik_rce_scan.py -iL hosts.txt

------------------------------------------------------------------------------------------------------

# TelerikUI NSE Scanner 
(http-telerik-vuln.nse)

# Installation
Download to your nmap scripts directory (/usr/share/nmap/scripts/)

# Update the nmap scripts database
$ nmap --script-updatedb

# Sample execution:
nmap -sT -p443 --script=http-telerik-vuln 23.253.4.115

# Screen:
<img align="center" src="https://github.com/becrevex/Telerik_CVE-2019-18935/blob/master/screen.JPG"/> 

## Thanks

[@mwulftange](https://twitter.com/mwulftange) initially [discovered](https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html) this vulnerability. [@bao7uo](https://github.com/bao7uo) wrote all of the logic for [breaking RadAsyncUpload encryption](https://github.com/bao7uo/RAU_crypto), which enabled manipulating the file upload configuration object in `rauPostData` and subsequently exploiting insecure deserialization of that object.  And thanks to Noperator (@BishopFox) from whom I _copped_ this language and the Legal Disclaimer below.  

## Legal Disclaimer

Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
File Snapshot

 [4.0K]  /data/pocs/3d0c266fea70edacf73a22c0cc3a5dcd69044d30
├── [3.7M]  AIC Training Module - Finding Vulnerable Telerik Instances.docx
├── [5.0K]  http-telerik-vuln.nse
├── [4.0K]  img
│   ├── [ 70K]  pyimp.JPG
│   └── [ 85K]  screen.JPG
├── [ 70K]  pyimp.JPG
├── [1.9K]  README.md
├── [ 85K]  screen.JPG
└── [ 17K]  telerik_rce_scan.py

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →