Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers.
The Telerik Report Server is an API-powered end-to-end encrypted report management solution organizations use to streamline the creation, sharing, storage, distribution, and scheduling of reports.
Cybersecurity researcher Sina Kheirkha developed the exploit with the help of Soroush Dalili and has now published a detailed write-up that describes the intricate process of exploiting two flaws, an authentication bypass and a deserialization issue, to execute code on the target.
Creating rogue admin accounts
The authentication bypass flaw is tracked as CVE-2024-4358 (CVSS score: 9.8), allowing the creation of admin accounts without checks.
Kheirkhah says he worked towards discovering the vulnerability following a bug disclosure by the software vendor on April 25 for a deserialization issue that required a “low privilege” user to exploit.
The researcher expanded on the flaw by discovering that the ‘Register’ method in the ‘StartupController’ was accessible without authentication, allowing the creation of an admin account even after the initial setup was complete.
This issue was addressed via an update (Telerik Report Server 2024 Q2 10.1.24.514) on May 15, while the vendor published a bulletin with the ZDI team on May 31.
The second flaw required for achieving RCE is CVE-2024-1800 (CVSS score: 8.8), a deserialization issue that allows remote authenticated attackers to execute arbitrary code on vulnerable servers.
That issue was discovered earlier and reported to the vendor by an anonymous researcher, while Progress released a security update for it on March 7, 2024, through Telerik® Report Server 2024 Q1 10.0.24.305.
An attacker can send a specially crafted XML payload with a ‘ResourceDictionary’ element to Telerik Report Server’s custom deserializer, which uses a complex mechanism to resolve XML elements into .NET types.
The special element in the payload then uses the ‘ObjectDataProvider’ class to execute arbitrary commands on the server, such as launching ‘cmd.exe.’
Although exploiting the deserialization bug is complex, Kheirkhah’s write-up and exploit Python script are publicly available, making the case pretty straightforward for aspiring attackers.
That being said, organizations must apply the available updates as soon as possible, aka upgrade to version 10.1.24.514 or later, which addresses both flaws.
The vendor has also advised that even though there are no reports of active exploitation of CVE-2024-4358, system administrators should review their Report Server’s users list for any new Local users they don’t recognize, added at ‘{host}/Users/Index.’
Critical flaws in Progress Software aren’t typically ignored by high-level cybercriminals, as a large number of organizations worldwide use the vendor’s products.
The most characteristic case is an extensive series of data theft attacks that exploited a zero-day vulnerability in the Progress MOVEit Transfer platform by the Clop ransomware gang in March 2023.
That data theft campaign ended up being one of the most large-scale and impactful extortion operations in history, claiming over 2,770 victims and indirectly affecting nearly 96 million people.
