Researchers have revealed a proof-of-concept (PoC) exploit script demonstrating a chained distant code execution (RCE) vulnerability on Progress Telerik Report Servers.
The Telerik Report Server is an API-powered end-to-end encrypted report administration answer organizations use to streamline the creation, sharing, storage, distribution, and scheduling of reviews.
Cybersecurity researcher Sina Kheirkha developed the exploit with the assistance of Soroush Dalili and has now revealed an in depth write-up that describes the intricate means of exploiting two flaws, an authentication bypass and a deserialization situation, to execute code on the goal.
Creating rogue admin accounts
The authentication bypass flaw is tracked as CVE-2024-4358 (CVSS rating: 9.8), permitting the creation of admin accounts with out checks.
Kheirkhah says he labored in the direction of discovering the vulnerability following a bug disclosure by the software program vendor on April 25 for a deserialization situation that required a “low privilege” person to use.
The researcher expanded on the flaw by discovering that the ‘Register’ methodology within the ‘StartupController’ was accessible with out authentication, permitting the creation of an admin account even after the preliminary setup was full.
This situation was addressed through an replace (Telerik Report Server 2024 Q2 10.1.24.514) on Might 15, whereas the seller revealed a bulletin with the ZDI workforce on Might 31.
The second flaw required for reaching RCE is CVE-2024-1800 (CVSS rating: 8.8), a deserialization situation that enables distant authenticated attackers to execute arbitrary code on susceptible servers.
That situation was found earlier and reported to the seller by an nameless researcher, whereas Progress launched a security replace for it on March 7, 2024, by Telerik® Report Server 2024 Q1 10.0.24.305.
An attacker can ship a specifically crafted XML payload with a ‘ResourceDictionary’ ingredient to Telerik Report Server’s customized deserializer, which makes use of a posh mechanism to resolve XML parts into .NET sorts.
The particular ingredient within the payload then makes use of the ‘ObjectDataProvider’ class to execute arbitrary instructions on the server, akin to launching ‘cmd.exe.’
Though exploiting the deserialization bug is advanced, Kheirkhah’s write-up and exploit Python script are publicly out there, making the case fairly simple for aspiring attackers.
That being mentioned, organizations should apply the out there updates as quickly as doable, aka improve to model 10.1.24.514 or later, which addresses each flaws.
The seller has additionally suggested that despite the fact that there are not any reviews of lively exploitation of CVE-2024-4358, system directors ought to evaluate their Report Server’s customers record for any new Native customers they do not acknowledge, added at ‘{host}/Customers/Index.’
Essential flaws in Progress Software program aren’t sometimes ignored by high-level cybercriminals, as numerous organizations worldwide use the seller’s merchandise.
Probably the most attribute case is an intensive collection of information theft assaults that exploited a zero-day vulnerability within the Progress MOVEit Switch platform by the Clop ransomware gang in March 2023.
That knowledge theft marketing campaign ended up being one of the large-scale and impactful extortion operations in historical past, claiming over 2,770 victims and not directly affecting practically 96 million folks.
