CVE-2017-9248
published 2017-07-03CVE-2017-9248: Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
75.10%
99.4th percentile
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | sitefinity | < 10.0.6412.0 | 10.0.6412.0 |
| telerik | ui_for_asp.net_ajax | <= 2017.2.503 | — |
Detection & IOCsextracted from sources · hover to see the quote
url?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp=↗
- →Monitor HTTP requests to Telerik.Web.UI.DialogHandler.aspx with a 'dp=' query parameter, which is used by the exploit to brute-force the DialogParametersEncryptionKey/MachineKey via oracle-based cryptographic attack. ↗
- →High volume of requests to Telerik.Web.UI.DialogHandler.aspx with varying 'dp=' values is indicative of key brute-forcing activity (dp_crypto tool). Each key character requires many requests. ↗
- →HTTP 500 responses from Telerik.Web.UI.DialogHandler.aspx containing 'Index was outside the bounds of the array.' are used as the cryptographic oracle signal by the exploit. ↗
- →Successful exploitation results in file upload to the DNN file manager via a crafted DocumentManager dialog URL; monitor for ASPX file uploads via this path. ↗
- →The exploit targets Telerik versions up to and including 2017.1.118; presence of Telerik.Web.UI.dll older than R2 2017 SP1 on a public-facing ASP.NET application is a high-risk indicator. ↗
- →The dp_crypto exploit tool (https://github.com/bao7uo/dp_crypto) is publicly available and directly weaponizes CVE-2017-9248; look for its user-agent or characteristic request patterns. ↗
- ·The cryptographic weakness only exists in Telerik.Web.UI.dll versions prior to R2 2017 SP1 (ASP.NET AJAX) and Sitefinity prior to 10.0.6412.0. Patched versions are not vulnerable. ↗
- ·Key length must be correctly estimated; using a longer-than-actual key length causes the base64 to start validating again from the beginning, causing the key to appear to repeat. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mfqq-q5rf-3hvq: Telerik
ghsa_unreviewed·2022-05-13
CVE-2017-9248 [CRITICAL] CWE-522 GHSA-mfqq-q5rf-3hvq: Telerik
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
VulnCheck
Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-9248 [CRITICAL] CWE-522 Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey), perform cross-site-scripting (XSS) attacks, compromise the ASP.NET ViewState, and/or upload and download files.
Affected: Progress ASP.NET AJAX and Sitefinity
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa20-296b; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa23-074a; https://www.cisa.gov/news-ev
CISA
Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2017-9248 [CRITICAL] CWE-522 Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
Vulnerability: Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
Affected: Progress ASP.NET AJAX and Sitefinity
Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey), perform cross-site-scripting (XSS) attacks, compromise the ASP.NET ViewState, and/or upload and download files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-9248
Remediation Due Date: 2022-05-03
CISA ICS
Hitachi ABB Power Grids eSOMS Telerik
cisa_ics·2021-03-18·CVSS 9.8
[CRITICAL] Hitachi ABB Power Grids eSOMS Telerik
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hitachi ABB Power Grids eSOMS Telerik
Last RevisedMarch 18, 2021
Alert CodeICSA-21-077-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Hitachi ABB Power Grids
- Equipment: eSOMS Telerik
- Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover se
No detection rules found.
HackerOne
RCE on https://█████/ Using CVE-2017-9248
hackerone·2019-10-10·CVSS 9.8
CVE-2017-9248 [CRITICAL] RCE on https://█████/ Using CVE-2017-9248
RCE on https://█████/ Using CVE-2017-9248
Summary:
https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RCE.
Description:
Telerik has a known cryptographic weakness in older versions of the Dialog Handler which when exploited can be used to brute force the machine key and gain access to the DNN file manager. The file manager allows for ASPX shell upload and RCE.
Step-by-step Reproduction Instructions
Hit https://███/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx and notice the handler dialog message.
Download https://github.com/bao7u
Tenable
Cybersecurity Snapshot: ChatGPT-like Tools Will Boost Developers’ Speed – and Amplify Cyber Risk
blogs_tenable·2023-07-07
Cybersecurity Snapshot: ChatGPT-like Tools Will Boost Developers’ Speed – and Amplify Cyber Risk
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/99965http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinityhttp://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weaknesshttps://www.exploit-db.com/exploits/43873/http://www.securityfocus.com/bid/99965http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinityhttp://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weaknesshttps://www.exploit-db.com/exploits/43873/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9248
2017-07-03
Published
2021-11-03
Added to CISA KEV
Exploited in the wild