CVE-2017-11317
📋 TL;DR
This vulnerability in Telerik UI for ASP.NET AJAX allows remote attackers to bypass file upload restrictions due to weak encryption in the RadAsyncUpload component. Attackers can upload arbitrary files, potentially leading to remote code execution. Affects systems using vulnerable versions of Telerik UI for ASP.NET AJAX.
💻 Affected Systems
- Progress Telerik UI for ASP.NET AJAX
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Arbitrary file upload allowing attackers to deploy web shells, deface websites, or establish persistence.
If Mitigated
Limited impact if proper input validation and file upload restrictions are enforced at application level.
🎯 Exploit Status
Multiple public exploits available. Exploitation requires knowledge of the encryption key, which can be brute-forced or obtained from other vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R1 2017 or later, R2 2017 SP2 or later
Vendor Advisory: http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload
Restart Required: Yes
Instructions:
1. Update Telerik UI for ASP.NET AJAX to R1 2017 or later, or R2 2017 SP2 or later. 2. Recompile and redeploy affected applications. 3. Restart IIS/application pools.
🔧 Temporary Workarounds
Disable RadAsyncUpload
allRemove or disable the RadAsyncUpload component from affected applications
Remove Telerik:RadAsyncUpload controls from ASP.NET pages
Implement custom file upload validation
allAdd server-side validation to restrict file types and scan uploaded files
Implement HttpModule or custom handler to validate file uploads before processing
🧯 If You Can't Patch
- Implement WAF rules to block requests containing RadAsyncUpload-specific parameters
- Restrict network access to affected applications using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check Telerik.Web.UI.dll version in application bin folder. Versions before 2017.1.118 are vulnerable.Check Version:
powershell: (Get-Item "path\to\Telerik.Web.UI.dll").VersionInfo.FileVersionVerify Fix Applied:
Verify Telerik.Web.UI.dll version is 2017.1.118 or later, or R2 2017.2.621 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to RadAsyncUpload handlers
- Requests to /Telerik.Web.UI.WebResource.axd with encrypted parameters
- Web shell deployment in upload directories
Network Indicators:
- HTTP POST requests to RadAsyncUpload handlers with encrypted data
- Unusual outbound connections from web servers after file uploads
SIEM Query:
source="iis" AND (url="*RadAsyncUpload*" OR url="*WebResource.axd*") AND (method="POST" OR status=200)🔗 References
- http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html
- http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006
- https://www.exploit-db.com/exploits/43874/
- http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html
- http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006
- https://www.exploit-db.com/exploits/43874/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11317
