In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
90fa6e298ae065b4008c1d60bd78433fa45a22aa60cd8bebf84446f57604ab27This Metasploit module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and prior which allows an unauthenticated attacker to create a new account with administrative privileges. The vulnerability leverages the initial setup page which is still accessible once the setup process has completed. If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if the specified USERNAME already exists.
dd5ebb936dffa162f01557508e65908c7d346e81b5aa548e7f6a390c3e136ffeTelerik Report Server deserialization and authentication bypass exploit chain that makes use of the vulnerabilities noted in CVE-2024-4358 and CVE-2024-1800.
973c92a0a0da78a80793a389527088eee6855414a151fa24deb8c5bd767aaa68This Metasploit module chains an authentication bypass vulnerability with a deserialization vulnerability to obtain remote code execution against Telerik Report Server versions 10.0.24.130 and below. The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges. The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account because users are unable to delete themselves.
c8284cfa43ce5539a8a2a273491db985cf3ca1e11f9f79a70c88e33e5ddb8d98
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed