Unrestricted File Upload

RELATED TO:

AUTHOR: Marin Bratanov

DATE POSTED: August 22, 2017

PROBLEM

Security vulnerability: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload.

DESCRIPTION

An exploit can result in arbitrary file uploads and/or remote code execution.

SOLUTIONS

To ensure your application is not exposed to risk, there are several mitigation paths. You can find them below.

Update from 8 Sep 2017: You should follow one of these options even if you are not using RadAsyncUpload in your application. Also, we added examples of how to disable file uploads without using a patch.

NOTE: The patches are not available on the Telerik NuGet feed.

NOTE: If you are targeting .NET 3.5, review the FIPS Compatibility article, because the encryption issue it describes also pertains to these patches.

Prevent POST requests to the handler used by RadAsyncUpload

Versions starting from R2 2017 SP2 and the provided patches allow you to set an appSettings key to disable file uploads. If you cannot upgrade or apply a patch, an alternative is to disable the POST requests that upload the file to the built-in Telerik handler from your web.config. Here are two suggestions on how to achieve this:

  • Use a URL redirect rule similar to the one below. You can modify it to return errors or other content. This example redirects to a page. Note that this will also prevent file uploads via RadCloudUpload.
    <rewrite>
        <rules>
            <rule name="DisableAsyncUpload" enabled="true" stopProcessing="true">
                <match url="^Telerik.Web.UI.WebResource.axd" />
                <conditions>
                    <add input="{QUERY_STRING}" pattern="type=rau" />
                </conditions>
                <action type="Redirect" url="not-allowed.aspx" redirectType="Permanent" />
            </rule>
        </rules>
    </rewrite>
  • Change the Telerik.Web.UI.WebResource handler registration so IIS does not allow POST requests to it. Added ways to disable file uploads without a patch. Note that this will also prevent file uploads via RadCloudUpload and can disrupt some functionality in RadImageEditor.
    <system.web>
      <httpHandlers>
        <add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" validate="false" />
      </httpHandlers>
    </system.web>
    <system.webServer>
      <handlers>
        <remove name="Telerik_Web_UI_WebResource_axd" />
        <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" preCondition="integratedMode" />
      </handlers>
    </system.webServer>

Set Custom Strong Encryption Keys

Follow the RadAsyncUpload Security help article.

Depending on the version you are using, you have the following options:

  • versions prior to Q3 2012 SP1 (version number 2012.3.1205) cannot get improved encryption and must use a patch or, if you are on active maintenance, upgrade to R1 2017 (2017.1.118) or later.
  • versions from Q3 2012 SP1 (version number 2012.3.1205) onward, must have the Telerik.AsyncUpload.ConfigurationEncryptionKey key set to a strong random value. It improves the control settings encryption. Read more on the required keys and how to generate them in the Mandatory Additions to the web.config section of the documentation. Note that important encryption improvements were implemented in R1 2017 (2017.1.118). Thus, using a patch or upgrading to R1 2017 (2017.1.118) or later is recommended.
  • versions from R1 2017 (version number 2017.1.118) onward must have the Telerik.AsyncUpload.ConfigurationEncryptionKey and Telerik.Upload.ConfigurationHashKey keys set to strong different random values. Read more on the required keys and how to generate them in the Mandatory Additions to the web.config section of the documentation.

Modifying the web.config to include the necessary key(s) will take effect immediately without you needing to rebuild your application. Note that IIS may recycle the application pool when the web.config file is changed.

Use a patch for versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027)

Download a patched version from your Telerik.com account after the 15th of August 2017. If you downloaded it earlier, download it again, because the file was updated since its original creation. Here is how to get the patch:

  1. Go to your telerik.com account.
  2. From the Version dropdown, select your release: How to select your Telerik.Web.UI version.
  3. Download the SecurityPatch_<your_version>.zip file.
  4. Replace the Telerik.Web.UI assembly in your application with the one of the same version that you just downloaded.
  5. Set the Telerik.Web.DisableAsyncUploadHandler appSettings key in your web.config to true.
    • If you do not disable uploads, temporary files saved to the disk by RadAsyncUpload will now have the .tmp extension.

IMPORTANT: This will disable file uploads through the built-in Telerik handler. This means that you will not be able to use RadAsyncUpload unless you create a custom handler with the desired level of security. If you do that, see the UploadedFiles.SaveAs Throws FileNotFound Error with Custom Handler KB article.

NOTE: Due to technical feasibility, the following versions do not have patches for this issue:

  • Q1 2011 SP2 (2011.1.519)
  • Q2 2011 SP1 (2011.2.915)
  • Q3 2011 SP1 (2011.3.1305)
  • Q1 2012 SP1 (2012.1.411)
  • Q2 2012 SP2 (2012.2.912)

The patched version shows "Telerik.Web.UI.Patch" in the File Description under Properties in Windows Explorer:

How to spot a patched version of Telerik.Web.UI.dll:

How a patched version looks like

Source code for building a patched version and protecting the Telerik.Web.UI assembly is available as well. If you downloaded it before the 15th of August 2017, you can download it again, because the file was updated.

Upgrade to R1 2017 (2017.1.118) or later if you’re on active maintenance.

The R1 2017 release introduces improved encryption and validation as described in the RadAsyncUpload Security article. To use it:

  1. Upgrade your Telerik UI for ASP.NET AJAX version to R1 2017 (2017.1.118) or later.
  2. Generate new unique custom keys for Telerik.AsyncUpload.ConfigurationEncryptionKey and Telerik.Upload.ConfigurationHashKey in your web.configYou can use the IIS MachineKey Validation Key generator to get them (make sure to avoid the ,IsolateApps portion).

Upgrade to R2 2017 SP2 (2017.2.711) or later if you’re on active maintenance.

Follow the same steps as if upgrading to R1 2017 (2017.1.118) or later

R2 2017 SP2 (2017.2.711) is the first official release that introduces:

Thus, an added security measure can be disabling all file uploads through the Telerik handler.

NOTES

We would like to thank Paul Taylor / Foregenix Ltd for assisting with making the information public.

EXTERNAL REFERENCES

  • CVE-2014-2217
  • CVE-2017-11317

SEE ALSO

More Resources

  • Forums

    Find answers to thousands of questions or reach out to our active community.

  • Demos

    Browse 1,200+ demos with source code covering basic and advanced scenarios.

  • Sample Applications

    Learn how to integrate the controls in real-world examples.

  • Feedback Portal

    Vote and follow the features you want to see added to Telerik UI for ASP.NET AJAX.

  • User Voice

    Get answers directly from the people who build the product.

  • Documentation

    Benefit from detailed help articles and API references for all controls.

  • Knowledge Base

    Learn how to achieve common scenarios from a multitude of tutorials and working examples.

  • Code Library

    Browse sample projects submitted by Telerik staff and community members.

  • Blog

    Stay up-to-date with the latest functionality, how-to articles and industry trends.

  • Release History

    Up-to-date release notes for all new features and improvements.