来源

关联漏洞

描述

Telerik CVE-2019-18935 Vulnerability Scanner

介绍

# Telerik CVE-2019-18935 Vulnerability Scanner

A Python-based security scanner designed to detect the Telerik UI for ASP.NET AJAX Remote Code Execution vulnerability (CVE-2019-18935).

## 🚨 Vulnerability Details

**CVE**: CVE-2019-18935  
**Risk Level**: HIGH  
**CWE**: CWE-913  
**CVSS**: 9.8 (Critical)

### Description
Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function that can lead to remote code execution.

### Affected Versions
- **Vulnerable**: All versions through 2019.3.1023
- **Patched**: 2020.1.114 and later
- **Mitigation**: Non-default settings in 2019.3.1023+ can prevent exploitation

### Prerequisites for Exploitation
The vulnerability is exploitable when encryption keys are known due to:
- CVE-2017-11317 (encryption key disclosure)
- CVE-2017-11357 (encryption key disclosure)

## 🛠️ Installation

### Requirements
```bash
pip install requests
```

### Download
```bash
git clone <repository-url>
cd TelerikVulnCheck
```

## 🎯 Usage

### Basic Scanning

#### Single Target
```bash
python telerik_CVE-2019-18935.py -t example.com
```

#### Multiple Targets from File
```bash
python telerik_CVE-2019-18935.py -iL targets.txt
```

#### IP Range Scan
```bash
python telerik_CVE-2019-18935.py -r 192.168.1.0/24
```

#### Random IP Search
```bash
python telerik_CVE-2019-18935.py -search
```

### Advanced Options

#### Custom Threading
```bash
python telerik_CVE-2019-18935.py -iL targets.txt --threads 20
```

#### Custom Timeouts
```bash
python telerik_CVE-2019-18935.py -iL targets.txt --timeout 30
```

#### Rate Limiting
```bash
python telerik_CVE-2019-18935.py -iL targets.txt --delay 0.5
```

#### Custom Output
```bash
python telerik_CVE-2019-18935.py -iL targets.txt --output results.txt
```

## 📋 Command Line Arguments

| Argument | Short | Description | Default |
|----------|-------|-------------|---------|
| `--target` | `-t` | Single target to scan | - |
| `--inputfile` | `-iL` | File containing target list | - |
| `--range` | `-r` | IP range (CIDR notation) | - |
| `--search` | - | Search random IPs | - |
| `--threads` | - | Concurrent threads | 10 |
| `--timeout` | - | Request timeout (seconds) | 10 |
| `--delay` | - | Delay between requests | 1.0 |
| `--output` | - | Output filename | Auto-generated |

## 📁 Input File Format

Create a text file with one target per line:

```txt
# targets.txt
example.com
192.168.1.1
test.example.com
10.0.0.1
```

**Features:**
- Lines starting with `#` are comments
- Supports IP addresses, hostnames, and URLs
- Automatic protocol detection and normalization

## 🔍 Detection Methodology

### 1. RAU Module Detection
Scans for Telerik RadAsyncUpload handlers at:
- `/Telerik.Web.UI.WebResource.axd?type=rau`
- `/aspnet-ajax/Telerik.Web.UI.WebResource.axd?type=rau`

### 2. Version Analysis
Analyzes HTML source for version patterns:
- Regex: `20[0-9]{2}(?:\.[0-9]*)+`
- Extracts version information from page content

### 3. Vulnerability Assessment
Determines vulnerability based on version:
- **< 2020**: Vulnerable
- **2020.3.1023+**: Patched
- **2020.1-2**: Vulnerable

## 📊 Output

### Console Output
- **Colored Status Messages**
- **Real-time Progress Tracking**
- **Vulnerability Alerts**

### File Output
Results saved to timestamped files:
```
telerik_scan_results_20241201_143022.txt
```

**File Contents:**
- Scan summary and statistics
- Vulnerable target details
- Complete scan results
- Timestamp and metadata

## ⚡ Performance

### Threading
- **Default**: 10 concurrent threads
- **Recommended**: 15-20 threads for large scans
- **Maximum**: Adjust based on network capacity

### Scan Times (Estimated)
| Targets | Threads | Time |
|---------|---------|------|
| 100 | 10 | ~1-2 min |
| 1000 | 10 | ~10-15 min |
| 100 | 20 | ~30-60 sec |

## 🛡️ Security Considerations

### Rate Limiting
- Configurable delays between requests
- Respectful scanning to avoid detection
- User-agent headers for legitimacy

### Network Safety
- SSL certificate handling
- Timeout protection
- Connection error handling

## 🔧 Configuration

### Environment Variables
```bash
export TELERIK_TIMEOUT=15
export TELERIK_THREADS=20
export TELERIK_DELAY=0.5
```

### Default Settings
```python
DEFAULT_TIMEOUT = 10      # seconds
DEFAULT_THREADS = 10      # concurrent threads
DEFAULT_DELAY = 1.0       # seconds between requests
```

## 🐛 Troubleshooting

### Common Issues

**Connection Timeouts**
```bash
python telerik_CVE-2019-18935.py -iL targets.txt --timeout 30
```

**Slow Performance**
```bash
python telerik_CVE-2019-18935.py -iL targets.txt --threads 20 --delay 0.1
```

**SSL Issues**
- Scanner handles SSL warnings automatically
- Adjust timeout for slow SSL handshakes

### Error Messages

| Error | Solution |
|-------|----------|
| `File not found` | Check file path and permissions |
| `Connection error` | Verify network connectivity |
| `Timeout` | Increase timeout value |
| `SSL warning` | Normal, can be ignored |


## ⚠️ Legal and Ethical Use

### Authorized Testing Only
- Use only on systems you own or have explicit permission to test
- Respect rate limits and network policies
- Do not use for unauthorized security testing

### Responsible Disclosure
If you find vulnerabilities:
1. Document the finding
2. Contact the system owner
3. Allow reasonable time for remediation
4. Follow responsible disclosure practices

---

**Disclaimer**: This tool is for authorized security testing only. Users are responsible for ensuring they have permission to scan the targets they're testing. The authors are not responsible for any misuse of this tool. 

文件快照

 [4.0K]  /data/pocs/88eb5c9205bf8f3b5fa0a813c37fcd9b801034d5
├── [5.5K]  README.md
└── [ 16K]  telerik_CVE-2019-18935.py

0 directories, 2 files

备注