Full Report
SinSinology saw an advisory for an RCE bug via deserialization in Telerik, a report management solution. Although it was authenticated, it was interesting to the author of the post. Hence, they decided to dive into the bug and see if they could find an authentication bypass. The product is a powerful solution with processing of many different types of files and creation of charts and other graphics on the server side to present to the user. As a result, the author thought this was prime for a deserialization issue. When performing the deserialization, if a type is unknown then it will attempt to find it based upon passed in XML. In particular, a provided ResourceDictionary can specify the execution path for it. Using the ProcessStartInfo parameter, it's possible to execute cmd on Windows. The author provides much more detail on the path for doing this though. While setting up the software to try to find the vulnerability described above, they discovered an authentication bypass. At start up, the installing user is supposed to call Register to add the administrative user. However, nothing stops another user from calling this, adding a System Admin role. This effectively creates a backdoor user. I found the beginning of this post hard to read with all of the code snippets. If you were trying to understand this specific piece of software well (unlike me who wants to just understand the vulnerability), then it would be super useful though. The author runs a course on dotnet hacking, which I'm sure would be filled with juicy C# knowledge after reading this. The authentication bypass found is fairly common, according to the author. So, something to keep an eye out for. As far as the deserialization... there's a lot of custom handling here for generic types. This is 100% a red flag.
Analysis Summary
# Vulnerability: Telerik Report Server Pre-Auth RCE Chain
## CVE Details
- **CVE ID**: CVE-2024-4358 (Auth Bypass) & CVE-2024-1800 (Deserialization)
- **CVSS Score**: 9.9 (Critical) - *When chained*
- **CWE**: CWE-288 (Authentication Bypass Using an Alternate Path), CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products**: Progress Telerik Report Server
- **Versions**: Versions prior to 2024 Q2 (10.1.24.514)
- **Configurations**: Default installations where initial administrative registration can be re-invoked or reached by unauthenticated users.
## Vulnerability Description
This exploit represents a high-impact "one-two punch" chain:
1. **Authentication Bypass (CVE-2024-4358):** The application fails to properly restrict access to the installation/registration endpoint after the initial setup. An attacker can call the `Register` method to create a new user and assign them the "System Administrator" role, effectively creating a backdoor administrative account.
2. **Insecure Deserialization (CVE-2024-1800):** The Report Server uses a custom serializer for processing report definitions (e.g., `.trdp` files). The serializer contains complex logic for handling generic types and XML-based resource dictionaries. By providing a crafted `ResourceDictionary` within a report, an attacker can define an execution path using `ProcessStartInfo` to execute arbitrary commands (such as `cmd.exe`) on the underlying Windows host.
## Exploitation
- **Status**: PoC available (published by SinSinology/Summoning Team).
- **Complexity**: Medium (requires chaining two distinct flaws and crafting a complex serialized payload).
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: Critical (Complete access to all reports and server data)
- **Integrity**: Critical (Ability to modify reports, system files, and user roles)
- **Availability**: Critical (Full system compromise allowing for ransomware or service disruption)
## Remediation
### Patches
- **Telerik Report Server 2024 Q2 (10.1.24.514)** or later. This version addresses both the authentication bypass and the insecure deserialization handling.
### Workarounds
- Ensure the Report Server is not exposed directly to the public internet without an additional authentication layer (like a VPN or WAF with access controls).
- Review the local User list for any unauthorized administrative accounts.
## Detection
- **Indicators of Compromise**:
- Unexpected POST requests to the `/Register` or `/Startup` endpoints on systems already configured.
- Creation of new administrative accounts not initiated by known staff.
- Presence of `.trdp` files containing `ProcessStartInfo` or references to `System.Diagnostics`.
- **Detection methods**: Monitor web server logs for status codes related to the registration of new users and audit Windows Process Creation events (Event ID 4688) for suspicious child processes of the Telerik web service.
## References
- hxxps[://]docs[.]telerik[.]com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
- hxxps[://]docs[.]telerik[.]com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800
- hxxps[://]www[.]zerodayinitiative[.]com/advisories/ZDI-24-561/
- hxxps[://]github[.]com/sinsinology/CVE-2024-4358