cbcvebase.
CVE-2017-11357
published 2017-08-23

CVE-2017-11357: Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-02-16
Exploited in the wild
EPSS
75.71%
99.5th percentile
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

Affected

3 ranges
VendorProductVersion rangeFixed in
progresstelerik_ui_for_asp.net_ajax< 2020.1.1142020.1.114
questkace_desktop_authority>= 10.0 < 11.211.2
telerikui_for_asp.net_ajax2011.1.315 – 2020.1.114

Detection & IOCsextracted from sources · hover to see the quote

filenameRAU_crypto.bypass
urlhttp://target/Telerik.Web.UI.WebResource.axd?type=rau
pathTelerik.Web.UI.WebResource.axd
  • Look for multipart POST requests to Telerik.Web.UI.WebResource.axd with query parameter type=rau, containing a form field named 'rauPostData' — this is the encrypted payload carrier used in exploitation.
  • Flag multipart POST requests to RadAsyncUpload endpoint where the 'fileName' field value is 'RAU_crypto.bypass' — this is a specific bypass indicator used by the exploit.
  • Detect multipart POST requests to Telerik.Web.UI.WebResource.axd?type=rau where 'contentType' is set to 'text/html' for an uploaded file — legitimate file uploads should not use text/html as the content type for binary uploads.
  • Monitor for HTTP responses from Telerik.Web.UI.WebResource.axd that leak version strings matching the pattern '20\d{2}(.\d+)+' — version disclosure enables targeted exploitation.
  • Alert on multipart POST bodies using the boundary value '68821516528156' — this hardcoded boundary string is present in the public exploit's payload construction.
  • ·The vulnerability allows file uploads to a limited/attacker-influenced TempTargetFolder path as well as potential RCE; the upload destination is controlled via the encrypted 'TempTargetFolder' field inside rauPostData.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.