Reverse Engineering Sitecore Vulnerabilities-3

This blog will focus on how a third-party vulnerability affected Sitecore in a serious way. I must suggest, please go through my previous blog post in this series before you read further.

Fun Fact — Sitecore 1.0 was released in 1999 and the logo represents the steps of the Trekroner Fort lighthouse in Copenhagen.

As we know, the Device Simulator vulnerability in Sitecore enabled attackers to obtain any configuration and license files from the Webroot. Today, we will explore how this impact is amplified when we chain it with other third-party vulnerabilities.

In 2019, Telerik was impacted by a major vulnerability affecting multiple services (CVE-2019–18935), exposing Telerik to remote code execution through a JSON deserialization attack.

Sitecore uses Telerik for rich UI component controls, and hence Sitecore was exposed to the risk of this flaw(more info), which allows attackers to execute code through DLLs on your server.

Let’s understand this through example, We’ve this code snippet which can shutdown your server.

After compiling this file, our DLL will be generated. You can find the proof-of-concept (POC) to exploit the Telerik CVE-2019–18935 vulnerability at https://github.com/noperator/CVE-2019-18935.

Clone this repository and update the Telerik keys in the file “/RAU_crypto/RAU_crypto.py” with the values obtained from the web.config file that you retrieved by exploiting the previous vulnerability.

Now is the time to exploit this, execute this command —

this will put the DLL in your website root and ultimately shutdown your server.

Mitigations -

Affected Telerik versions are from 2011.1.315 to 2019.3.1023

Read more about Telerik Vulnerability in this article.