Skip to content

Another tool for exploiting CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler.

License

Notifications You must be signed in to change notification settings

blacklanternsecurity/dp_cryptomg

Repository files navigation

dp_cryptomg

Black License

Another tool for exploiting CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler. Exploitation leads to access to a file manager utility capable up uploading arbitrary files, usually leading to remote code execution.

The vulnerability is caused by an information leak via error messages during decryption of the Telerik "DialogParameters", which are a series of encrypted configuration values. These values are provided to the user, and then echoed back to the server as user-input. The leaked info about the decryption process allow for systemtic discovery of the Telerik.Web.UI.DialogParametersEncryptionKey. For a deep-dive into the vulnerability and how the tool works, visit our blog post at: https://blog.blacklanternsecurity.com/p/yet-another-telerik-ui-revisit.

dp_cryptomg_Trim

Acknowledgements

  • The original tool for exploiting CVE-2017-9248 dp_crypto was invaluable for building this one. Not to mention, it's netted us plenty of RCEs over the years :)

  • Research by SR Labs in their blog post Achieving Telerik Remote Code Execution 100 Time Faster was the basis for the technique used in this tool and inspired us to create it

Usage

Example (Basic usage):

python3 dp_cryptomg.py http://example.com/Telerik.Web.UI.DialogHandler.aspx

Example (Setting custom key length and using a proxy)

python3 dp_cryptomg.py -l 40 -p http://127.0.0.1:8080  http://example.com/Telerik.Web.UI.DialogHandler.aspx

usage: dp_cryptomg.py [-h] [-d] [-c COOKIE] [-k KNOWN_KEY] [-v VERSION] [-l LENGTH] [-p PROXY] [-s] [-S] url

positional arguments:
  url                   The target URL

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           Enable debugging mode
  -c COOKIE, --cookie COOKIE
                        Add optional cookie header to every request
  -k KNOWN_KEY, --known-key KNOWN_KEY
                        The partial or complete known key, in HEX format
  -v VERSION, --version VERSION
                        Specify the Telerik version, if known
  -l LENGTH, --length LENGTH
                        The length of the key, if known
  -p PROXY, --proxy PROXY
                        Optionally set an HTTP proxy
  -s, --simple          Turn off the fancy interface
  -S, --super-simple    Turn off the fancy interface and show minimal output
  -q, --quick-check     Only detect likely vulnerability and skip exploitation (forces simple mode)

Features

  • Increased speed over previous tools
  • Capable of recovering key from both the Telerik.Web.UI.DialogHandler.aspx and the Telerik.Web.UI.SpellCheckHandler.axd endpoints
  • Built in HTTP proxy support
  • Capable of adding a custom cookie header to each request

Important Notes

  • If they key length is not the default length of 48, you must manually specify the length with the -l parameter
  • If you experience issues with the "fancy" interface, you can disable it with the -s or -S options. This will also slightly increase the speed of the exploitation process.

References

About

Another tool for exploiting CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages