This is a migrated thread and some comments may be shown as answers.

Could this be a web.config hack?

12 Answers 636 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Fit2Page
Top achievements
Rank 1
Iron
Veteran
Iron
Fit2Page asked on 12 May 2020, 09:36 AM

Hi,

 

Yesterday I discovered in the web.config on one of our webs the following:

 

<add name="Telerik_Web_UI_DialogHandler_aspx" path="me.hochalla.aspx" type="Telerik.Web.UI.DialogHandler" verb="*" preCondition="integratedMode" />

 

normally this is:

 

<add name="Telerik_Web_UI_DialogHandler_aspx" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" verb="*" preCondition="integratedMode" />

 

What do you think this is?

Strangest thing is I removed the line yesterday but now it is in again.

Please respond soonest.

Marc

12 Answers, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 12 May 2020, 11:46 AM

Hi Marc,

Yes, this might be a security issue, especially if me.hochalla.aspx handler/page is not among the known files of your web application.

You may also search for me.hochalla.aspx in the app files and if it exists to examine its code which might give you any clues.

My advice is to upgrade your project to the latest version 2020.1.219 of Telerik.Web.UI.dll  and to apply the recommended security keys. If they are already applied, create new ones since the original keys might be stolen from the compromised web.config file.

The latest version provides fixes for the following vulnerabilities:

You can find more information on how to secure your app in these articles:

Regards,
Rumen
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Chad
Top achievements
Rank 1
answered on 11 Jan 2021, 11:23 PM

Are there any other measures that need to be taken to secure the Telerik.Web.UI.DialogHandler.aspx?

Our IIS logs have thousands of hits to variations of the following path.

/common/admin/Jobs2/Telerik.Web.UI.DialogHandler.aspx

When I go to that path I get a message saying "Loading the dialog..."

Should I be concerned with this?

 

0
Rumen
Telerik team
answered on 12 Jan 2021, 12:47 PM

Hi Chad,

It looks like somebody is trying to exploit your app via one of the known vulnerabilities in the suite - CVE-2017-9248.

That's why it is a must to secure your web apps with the most secure versions of Telerik.Web.UI.dll released after R3 2019 SP1 or even better the latest one R3 2020 SP1 to protect from all known vulnerabilities in the suite. Please see the following video which shows how to generate the recommended security keys for the web.config appSettings for the Telerik controls - https://www.youtube.com/watch?v=J18zDKtiBFE

Please also read these online resources:

The vulnerability related to the Telerik.Web.UI.DialogHandler.aspx is discussed in the following article: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness. If your app is using an older version where the vulnerability is not fixed, please directly upgrade to the latest version R3 2020 SP1 (2020.3.1021) since this will ensure that the hackers won't be able to decrypt the handler information and exploit your site. 

By the way, in version 2020.2.512, we updated the error message of the handler - https://feedback.telerik.com/aspnet-ajax/1463808-security-improvement-in-handling-telerik-web-ui-dialoghandler-errors which is yet another reason for an upgrade. Security is a top priority and we are constantly enhancing the security of the suite.

Best Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Chad
Top achievements
Rank 1
answered on 18 Jan 2021, 02:17 PM

Thank you. We upgraded the controls and applied the recommended settings.

I would like to secure it further. In our application we only have a need for the Telerik.Web.UI.DialogHandler.aspx page to be accessible behind login. Is there a way to lock down the dialog handler so only logged in users have access? 

0
Rumen
Telerik team
answered on 18 Jan 2021, 03:32 PM

You are welcome, Chad. It is perfect that you have updated the Telerik.Web.UI.dll version and applied the security settings!

The Telerik.Web.UI.DialogHandler.aspx does not offer built-in authentication. If the app is not public-facing or if a secure version of Telerik.Web.UI.dll is used then the app will be secured and the hacker won't be able to access or decrypt the handler.

Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Stanislav
Top achievements
Rank 1
answered on 23 Apr 2021, 07:22 AM

Hi Rumen,

after changing the keys, I cannot log on to the site!!! The password was created using the previous key! Besides restoring the previous web.config there are no other ways?

 

0
Stanislav
Top achievements
Rank 1
answered on 23 Apr 2021, 07:47 AM
It turns out that it is necessary to transfer the previous <machineKey validationKey....../>  from the old web.config to the new one and then the keys are decrypted correctly!
0
Rumen
Telerik team
answered on 23 Apr 2021, 09:14 AM

Hi Stanislav,

Thank you for following up and sharing this know-how with the community!

Best Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Stanislav
Top achievements
Rank 1
answered on 23 Apr 2021, 10:24 AM

Hi, Rumen,

I write through a translator.
I have a website on DotNetNuke Community Edition 05.06.02 (144). Yeah, I know he's very old:) How do I upgrade telerik editor to a new version? The one that is standing now was silent with the distribution. I do not want to update DotNetNuke due to the availability of modules for the current version. Can you help me step-by-step? what to download-where to put and how to register. Thank you!

 

0
Rumen
Telerik team
answered on 23 Apr 2021, 11:54 AM

Hi Stanislav,

The recommended approach is to contact the DNN support or ask their community in the DNN forums since we do not provide support for the third-party DotNetNuke CMS system.

As far as I know, after updating the Telerik.Web.UI.dll assembly in DNN, you have to set a bindingRedirect in the web.config to prevent problems with the assembly version and the reference to the old one.

<configuration>
    <runtime>
        <dependentAssembly>
            <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
            <bindingRedirect oldVersion="1.0.0.0-2021.1.330.45" newVersion="2020.1.330.45" />
        </dependentAssembly>
    </runtime>
</configuration>

Best Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Stanislav
Top achievements
Rank 1
answered on 26 Apr 2021, 06:46 AM

Hi, Rumen

OK. I realized by attending the DNN forum that there would be no support. Then the question is: is there a query string sent to the site that uniquely indicates an attempted hack? May I lock this line in file2ban or nginx filters?

0
Rumen
Telerik team
answered on 26 Apr 2021, 09:31 AM

Hi Stanislav,

The query string data is encoded so I am not aware of a specific string that shows that it is a hack or not. You may want to check the information about the vulnerability to get a better overview of how it is happening:

You can find technical information on the CVE-2019-18935 vulnerability in the following resources: 

 

What the 2020.1.114 and later versions do is to provide a strong encryption mechanism that cannot be broken by the hackers as well as the type whitelisting feature, which is strong prevention of CVE-2019-18935.

There are alternative approaches but they are not safe and they cannot guarantee full protection as upgrading to version 2020.1.114 or later  - these alternative approaches are provided in my answer here -> see the two bullets for "Use a URL redirect rule similar to the one below" and "Change the Telerik.Web.UI.WebResource handler registration so IIS does not allow POST requests to it".

Regards,


Rumen
Progress Telerik

Тhe web is about to get a bit better! 

The Progress Hack-For-Good Challenge has started. Learn how to enter and make the web a worthier place: https://progress-worthyweb.devpost.com.

Tags
General Discussions
Asked by
Fit2Page
Top achievements
Rank 1
Iron
Veteran
Iron
Answers by
Rumen
Telerik team
Chad
Top achievements
Rank 1
Stanislav
Top achievements
Rank 1
Share this question
or