AsyncUploadHandler in Telerik's RadAsyncUpload feature is configured with a hard coded (default) encryption key. This key is used to encrypt upload variables which are sent to the user, and subsequently used in file upload requests by the user to the server. If this key is not changed from it's default value of "PrivateKeyForEncryptionOfRadAsyncUploadConfiguration", a malicious actor can capture the file upload request to /Telerik.Web.Ui.WebResource.axd and decrypt parameter 'rauPostData'. Once decrypted, the file upload location can be modified and re-encrypted, resulting in arbitrary file upload to any location on the server which the web server user has permissions to write to.
Tl;Dr - Default key allows decryption of parameter, which enables a malicious actor to change the file upload location.
Works on all versions prior to Telerik UI version 2017.2.621, release in June. As stated in the introduction, the encryption key must still utilize the default setting.
How to ExploitProcess Summary (Using automated payload generator code in appendix):
- Capture file upload request (used BurpSuite)
- Copy encrypted content block in rauPostData into a file (portion before the ampersand)
- Decrypt, modify the upload file path, and re-encrypt using the C# payload generator code (included in appendix)
- Paste encrypted output back into rauPostData parameter
- Change the file content of your upload request to be a web shell (or malicious code)
- Set your file name and malicious extension in the UploadID parameter
- Forward along the new request and your web shell (or malicious page) should be uploaded!
Initiate an upload request to the web application with any random, supported file. During this process, a call will be made to https://vulnwebsite.com/somepath/Telerik.Web.UI.WebResource.axd?type=rau. The request will contain a form titled 'rauPostData' with encrypted content. Capture this request in BurpSuite.