The Progress Telerik Report Server pre-authenticated Remote Code Execution (RCE) chain, identified as CVE-2024-4358 and CVE-2024-1800, involves a critical vulnerability that allows unauthenticated attackers to execute arbitrary code on affected servers.
Attack Flow
📌Initial Access: The attacker identifies a vulnerable Telerik Report Server instance.
📌Exploitation of CVE-2024-4358: The attacker sends a crafted request to the /Startup/Register endpoint to create a new administrator account.
📌Privilege Escalation: The attacker logs in using the newly created administrator account.
📌Exploitation of CVE-2024-1800: The attacker creates a malicious report that exploits the deserialization vulnerability to execute arbitrary code.
📌Command Execution: The attacker executes arbitrary commands on the server, achieving remote code execution.
Attack Scenario
Target Identification:
📌The attacker identifies a vulnerable instance of the Telerik Report Server, typically by scanning for publicly exposed instances using tools like Shodan.
Authentication Bypass (CVE-2024-4358):
📌The attacker exploits an authentication bypass vulnerability in the Telerik Report Server’s setup wizard. This vulnerability allows the attacker to create a new administrator account without any prior authentication.
📌The specific endpoint exploited is Telerik.ReportServer.Web.dll! Telerik.ReportServer.Web.Controllers.StartupController.Register, which does not verify if the setup process has already been completed.
📌The attacker sends a crafted HTTP request to the /Startup/Register endpoint to create a new administrator account:
curl 'http://TARGET_HERE/Startup/Register' -d 'Username=USERNAME_HERE& Password=PASSWORD_HERE& ConfirmPassword=PASSWORD_HERE& Email=backdoor%http://40admin.com& FirstName=backdoor& LastName=user'
Account Creation and Authentication:
📌Upon successful exploitation, the attacker gains high-privileged access to the Telerik Report Server by using the newly created administrator account.
📌The attacker logs in using the credentials of the backdoor account created in the previous step.
Deserialization Exploit (CVE-2024-1800):
📌With administrative access, the attacker leverages a deserialization vulnerability in the Telerik Report Server to execute arbitrary code on the server.
📌The attacker creates a malicious report that triggers the deserialization flaw, allowing them to run arbitrary commands on the server.
📌The PoC script automates this process, including generating random usernames and passwords for the backdoor account and creating a malicious report:
python http://CVE-2024-4358.py --target http://192.168.253.128:83 -c «whoami»