cbcvebase.
CVE-2017-9248
published 2017-07-03

CVE-2017-9248: Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
75.10%
99.4th percentile
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresssitefinity< 10.0.6412.010.0.6412.0
telerikui_for_asp.net_ajax<= 2017.2.503

Detection & IOCsextracted from sources · hover to see the quote

path/Telerik.Web.UI.DialogHandler.aspx
path/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx
urlhttp://a/Telerik.Web.UI.DialogHandler.aspx
url?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp=
filenameTelerik.Web.UI.dll
  • Monitor HTTP requests to Telerik.Web.UI.DialogHandler.aspx with a 'dp=' query parameter, which is used by the exploit to brute-force the DialogParametersEncryptionKey/MachineKey via oracle-based cryptographic attack.
  • High volume of requests to Telerik.Web.UI.DialogHandler.aspx with varying 'dp=' values is indicative of key brute-forcing activity (dp_crypto tool). Each key character requires many requests.
  • HTTP 500 responses from Telerik.Web.UI.DialogHandler.aspx containing 'Index was outside the bounds of the array.' are used as the cryptographic oracle signal by the exploit.
  • Successful exploitation results in file upload to the DNN file manager via a crafted DocumentManager dialog URL; monitor for ASPX file uploads via this path.
  • The exploit targets Telerik versions up to and including 2017.1.118; presence of Telerik.Web.UI.dll older than R2 2017 SP1 on a public-facing ASP.NET application is a high-risk indicator.
  • The dp_crypto exploit tool (https://github.com/bao7uo/dp_crypto) is publicly available and directly weaponizes CVE-2017-9248; look for its user-agent or characteristic request patterns.
  • ·The cryptographic weakness only exists in Telerik.Web.UI.dll versions prior to R2 2017 SP1 (ASP.NET AJAX) and Sitefinity prior to 10.0.6412.0. Patched versions are not vulnerable.
  • ·Key length must be correctly estimated; using a longer-than-actual key length causes the base64 to start validating again from the beginning, causing the key to appear to repeat.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.