Researchers have published a proof-of-concept exploit script demonstrating a chained remote code execution vulnerability on Progress Telerik Report Servers.
The Telerik Report Server is an API-powered end-to-end encrypted report management solution organizations use to streamline the creation, sharing, storage, distribution, and scheduling of reports.
Cybersecurity researcher Sina Kheirkha developed the exploit with the help of Soroush Dalili and has now published a detailed write-up that describes the intricate process of exploiting two flaws, an authentication bypass and a deserialization issue, to execute code on the target.
The authentication bypass flaw is tracked as CVE-2024-4358, allowing the creation of admin accounts without checks.
The researcher expanded on the flaw by discovering that the 'Register' method in the 'StartupController' was accessible without authentication, allowing the creation of an admin account even after the initial setup was complete.
This issue was addressed via an update on May 15, while the vendor published a bulletin with the ZDI team on May 31.
The second flaw required for achieving RCE is CVE-2024-1800, a deserialization issue that allows remote authenticated attackers to execute arbitrary code on vulnerable servers.
That issue was discovered earlier and reported to the vendor by an anonymous researcher, while Progress released a security update for it on March 7, 2024, through Telerik® Report Server 2024 Q1 10.0.24.305.
An attacker can send a specially crafted XML payload with a 'ResourceDictionary' element to Telerik Report Server's custom deserializer, which uses a complex mechanism to resolve XML elements into.
The special element in the payload then uses the 'ObjectDataProvider' class to execute arbitrary commands on the server, such as launching 'cmd.
Although exploiting the deserialization bug is complex, Kheirkhah's write-up and exploit Python script are publicly available, making the case pretty straightforward for aspiring attackers.
That being said, organizations must apply the available updates as soon as possible, aka upgrade to version 10.1.24.514 or later, which addresses both flaws.
Critical flaws in Progress Software aren't typically ignored by high-level cybercriminals, as a large number of organizations worldwide use the vendor's products.
The most characteristic case is an extensive series of data theft attacks that exploited a zero-day vulnerability in the Progress MOVEit Transfer platform by the Clop ransomware gang in March 2023.
That data theft campaign ended up being one of the most large-scale and impactful extortion operations in history, claiming over 2,770 victims and indirectly affecting nearly 96 million people.
QNAP QTS zero-day in Share feature gets public RCE exploit.
PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers.
Maximum severity Flowmon bug has a public exploit, patch now.
Exploit released for maximum severity Fortinet RCE bug, patch now.
GitHub warns of SAML auth bypass flaw in Enterprise Server.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Jun 2024 19:14:03 +0000