RadAsyncUpload Attack

0 Answers 318 Views
AsyncUpload
Steven
Top achievements
Rank 1
Iron
Steven asked on 04 May 2023, 08:17 PM

Our system was probed using the url:    /Telerik.Web.UI.WebResource.axd?type=rau

which produced this frightening message:

{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }

I stopped getting that message after I disabled the Upload Handler in the web.config:

<add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/>

But my question is, how can I tell if my system (Windows 2012) has been compromised

Thank you,

Steven

 

Rumen
Telerik team
commented on 05 May 2023, 07:37 AM

Hi Steven,

The received "RadAsyncUpload handler is registered successfully, however, it may not be accessed directly." message when accessing the handler directly from the browser address bar is expected and intentionally designed like this. To facilitate the developers the GET request to the handler returns a human-readable text to notify that the correct handler URL is used and to confirm that the handler is registered successfully.

As for the question "How can I tell if my system (Windows 2012) has been compromised?": The first thing is to make sure that your web application runs Telerik.Web.UI.dll version 2020.1.114 or later as explained in this article: Allows JavaScriptSerializer Deserialization. You can learn how to find out which is the version of Telerik UI for ASP.NET AJAX in this article: How to find out which is the used version of Telerik.Web.UI in the web application. If the version is 2020.1.114 or later your app is not vulnerable to the known vulnerabilities in the suite.

Regardless of the Telerik version, you can also perform a full system scan with a suitable security scanner and antivirus program which can identify CVE-2019-18935. You can find more information in the:

 

Steven
Top achievements
Rank 1
Iron
commented on 05 May 2023, 04:21 PM

Thank you for all the information Rumen.  I'm on version 2017.3 but I've disabled the AsyncUpload control with a web config entry and now they are getting a 404 error instead of the success message so that's something.

Prior to that their attempts were throwing this error:

Error occurred during a cryptographic operation.   
at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input)     
at Telerik.Web.UI.CryptoService.DecryptWithMachineKey(String encryptedText)     
at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)   

Hopefully that means they didn't get through.  Upgrading is always a challenge as it tends to break existing code.

Rumen
Telerik team
commented on 09 May 2023, 06:39 AM

You are welcome, Steven!

While the error message might look promising that the server is untouched, your server still runs a not so secure version of Telerik.Web.UI.dll and you still need to scan your system to find out whether there is a virus or any malicious code and files on it.

Also, the difference between R3 2017 and R1 2020 (2020.1.114 or even the latest one) is not big in terms of breaking changes and my advice is to perform an upgrade as early as possible.

Just before upgrading your project, review the following resources:

No answers yet. Maybe you can help?

Tags
AsyncUpload
Asked by
Steven
Top achievements
Rank 1
Iron
Share this question
or