Merge pull request #200 from blacklanternsecurity/dev

dev-main

Author: liquidsec

.github/workflows/tests.yaml

@@ -52,7 +52,7 @@ jobs:
         uses: nick-fields/retry@v2
         with:
           max_attempts: 3
-          timeout_minutes: 20
+          timeout_minutes: 40
           retry_wait_seconds: 0
           command: |
             poetry run pytest --exitfirst --disable-warnings --log-cli-level=DEBUG --cov-report xml:cov.xml --cov=badsecrets --cov=examples

README.md

@@ -215,6 +215,30 @@ python ./badsecrets/examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQM
 
 ### telerik_knownkey.py
 
+```bash
+badsecrets - Telerik UI known key exploitation tool
+
+usage: telerik_knownkey.py [-h] -u URL [-p PROXY] [-a USER_AGENT] [-m] [-f] [-v VERSION] [-c CUSTOM_KEYS] [-d] [--modern-dialog-params]
+
+options:
+  -h, --help            show this help message and exit
+  -u URL, --url URL     The URL of the page to access and attempt to pull viewstate and generator from
+  -p PROXY, --proxy PROXY
+                        Optionally specify an HTTP proxy
+  -a USER_AGENT, --user-agent USER_AGENT
+                        Optionally set a custom user-agent
+  -m, --machine-keys    Optionally include ASP.NET MachineKeys when loading keys
+  -f, --force           Force enumeration of vulnerable AsyncUpload endpoint without user confirmation
+  -v VERSION, --version VERSION
+                        Specify a custom Telerik version to test
+  -c CUSTOM_KEYS, --custom-keys CUSTOM_KEYS
+                        Specify custom keys in format 'encryptionkey,hashkey'. When provided, only these keys will be tested.
+  -d, --debug           Enable debug mode to show detailed request information
+  --modern-dialog-params
+                        Use modern dialog parameters format (may work better for newer Telerik versions 2018+)
+
+```
+
 Fully functional CLI example for identifying known Telerik Hash keys (`Telerik.Upload.ConfigurationHashKey`) and Encryption keys (`Telerik.Web.UI.DialogParametersEncryptionKey`) used with Telerik DialogHandler instances for Post-2017 versions (those patched for CVE-2017-9248), and brute-forcing version / generating exploitation DialogParameters values.
 
 Currently, this appears to be the only tool capable of building a working exploit URL for "patched" versions of Telerik.

badsecrets/base.py

@@ -93,9 +93,14 @@ def carve(self, body=None, cookies=None, headers=None, requests_response=None, *
                 raise badsecrets.errors.CarveException("Body/cookies/headers and requests_response cannot both be set")
 
             if type(requests_response) == requests.models.Response:
-                body = requests_response.text
-                cookies = dict(requests_response.cookies)
-                headers = requests_response.headers
+                if not cookies:
+                    cookies = (
+                        requests_response.cookies.get_dict() if hasattr(requests_response.cookies, "get_dict") else {}
+                    )
+                if not headers:
+                    headers = requests_response.headers
+                if not body and hasattr(requests_response, "text"):
+                    body = requests_response.text
             else:
                 raise badsecrets.errors.CarveException("requests_response must be a requests.models.Response object")
 
@@ -142,7 +147,9 @@ def carve(self, body=None, cookies=None, headers=None, requests_response=None, *
             if self.carve_regex():
                 s = re.search(self.carve_regex(), body)
                 if s:
-                    r = self.carve_to_check_secret(s, url=kwargs.get("url", None))
+                    r = self.carve_to_check_secret(
+                        s, url=kwargs.get("url", None), body=body, cookies=cookies, headers=headers
+                    )
                     if r:
                         r["type"] = "SecretFound"
                     else:

badsecrets/examples/telerik_knownkey.py

@@ -25,10 +25,20 @@ def carve_regex(self):
             r"<input.+__VIEWSTATE\"\svalue=\"(.+)\"[\S\s]+<input.+__VIEWSTATEGENERATOR\"\svalue=\"(\w+)\""
         )
 
-    def carve_to_check_secret(self, s, url=None):
+    def carve_to_check_secret(self, s, url=None, **kwargs):
         if len(s.groups()) == 2:
-            r = self.check_secret(s.groups()[0], s.groups()[1], url)
-            return r
+            viewstate = s.groups()[0]
+            generator = s.groups()[1]
+            possible_userkey_cookies = ["ASP.NET_SessionId", "__AntiXsrfToken", "ASPSESSIONID"]
+
+            if kwargs.get("cookies") and hasattr(kwargs.get("cookies"), "get"):
+                for cookie_name in possible_userkey_cookies:
+                    if cookie_name in kwargs.get("cookies"):
+                        cookie_value = kwargs.get("cookies").get(cookie_name)
+                        r = self.check_secret(viewstate, generator, url, cookie_value)
+                        if r:
+                            return r
+            return self.check_secret(viewstate, generator, url)
 
     @staticmethod
     def valid_preamble(sourcebytes):
@@ -92,7 +102,8 @@ def viewstate_decrypt(self, ekey_bytes, hash_alg, viewstate_B64, url, mode):
                     else:
                         continue
 
-    def viewstate_validate(self, vkey_bytes, encrypted, viewstate_B64, generator, url, mode):
+    def viewstate_validate(self, vkey_bytes, encrypted, viewstate_B64, generator, url, mode, viewstate_userkey=None):
+
         original_vkey_bytes = vkey_bytes
         viewstate_bytes = base64.b64decode(viewstate_B64)
 
@@ -104,19 +115,31 @@ def viewstate_validate(self, vkey_bytes, encrypted, viewstate_B64, generator, ur
             signature_len = len(vs.signature)
             candidate_hash_algs = self.search_dict(self.hash_sizes, signature_len)
 
+        modifier_bytes = b"\x00" * 4
+        if viewstate_userkey and viewstate_userkey.strip():
+            modifier_bytes += viewstate_userkey.encode("utf-16le")
         for hash_alg in candidate_hash_algs:
             vkey_bytes = original_vkey_bytes
             viewstate_data = viewstate_bytes[: -self.hash_sizes[hash_alg]]
             signature = viewstate_bytes[-self.hash_sizes[hash_alg] :]
             if hash_alg == "MD5":
-                md5_bytes = viewstate_data + vkey_bytes
                 if not encrypted:
-                    md5_bytes += b"\x00" * 4
+                    # if viewstate_userkey and viewstate_userkey.strip():
+                    #    md5_bytes = b"will not work, sorry"
+                    # MD5 + ViewStateUserKey is a horrible edge case that may NEVER work. We will not match on it, currently.
+                    # Last attempt:
+                    # md5_bytes = viewstate_data + vkey_bytes + page_hash_bytes + viewstate_userkey.encode('utf-16le')
+                    # But page_hash_bytes is apparently NOT the generator and my have to be brute-forced.
+                    # Probably not worth it for the 3 servers in the entire world probably using these settings in the wild.
+                    md5_bytes = viewstate_data + vkey_bytes + modifier_bytes
+                else:
+                    md5_bytes = viewstate_data + vkey_bytes
                 h = hashlib.md5(md5_bytes)
             else:
                 vs_data_bytes = viewstate_data
                 if not encrypted:
                     vs_data_bytes += generator
+                    vs_data_bytes += modifier_bytes[4:]
                 if mode == "DOTNET45" and url:
                     s = Simulate_dotnet45_kdf_context_parameters(url)
                     label, context = sp800_108_get_key_derivation_parameters(
@@ -129,7 +152,7 @@ def viewstate_validate(self, vkey_bytes, encrypted, viewstate_B64, generator, ur
                     self.hash_algs[hash_alg],
                 )
 
-            if h.digest() == signature:
+            if signature == h.digest():
                 return hash_alg
 
         return None
@@ -139,6 +162,7 @@ def resolve_args(self, args):
         generator_pattern = re.compile(r"^[A-F0-9]{8}$")
 
         url = None
+        viewstate_userkey = None
         generator = "0000"
 
         for arg in args:
@@ -147,14 +171,15 @@ def resolve_args(self, args):
                     generator = arg
                 elif url_pattern.match(arg):
                     url = arg
-
+                else:
+                    viewstate_userkey = arg
         # Remove query string from the URL, if any
         if url:
             url = urlsplit(url)._replace(query="").geturl()
-        return generator, url
+        return generator, url, viewstate_userkey
 
     def check_secret(self, viewstate_B64, *args):
-        generator, url = self.resolve_args(args)
+        generator, url, viewstate_userkey = self.resolve_args(args)
 
         if not self.identify(viewstate_B64):
             return None
@@ -182,7 +207,7 @@ def check_secret(self, viewstate_B64, *args):
 
                 for mode in ["DOTNET40", "DOTNET45"]:
                     validationAlgo = self.viewstate_validate(
-                        binascii.unhexlify(vkey), encrypted, viewstate_B64, generator, url, mode
+                        binascii.unhexlify(vkey), encrypted, viewstate_B64, generator, url, mode, viewstate_userkey
                     )
                     if validationAlgo:
                         if encrypted:
@@ -201,6 +226,8 @@ def check_secret(self, viewstate_B64, *args):
                         product_string = f"Viewstate: {viewstate_B64}"
                         if generator != "0000":
                             product_string += f" Generator: {generator[::-1].hex().upper()}"
+                        if viewstate_userkey:
+                            product_string += f" ViewStateUserKey: {viewstate_userkey}"
                         return {"secret": result, "product": product_string, "details": f"Mode [{mode}]"}
         return None
 

badsecrets/modules/aspnet_viewstate.py

@@ -114,11 +114,11 @@ def check_secret(self, dialogParameters_raw, key_derive_mode=None, include_machi
                     }
         return None
 
-    def encryptionkey_probe_generator(self, hash_key, key_derive_mode, include_machinekeys=False):
+    def encryptionkey_probe_generator(self, hash_key, key_derive_mode, include_machinekeys=False, custom_keys=None):
         test_string = b"AAAAAAAAAAAAAAAAAAAA"
         dp_enc = base64.b64encode(test_string).decode()
 
-        for ekey in self.prepare_keylist(include_machinekeys=include_machinekeys):
+        for ekey in custom_keys if custom_keys else self.prepare_keylist(include_machinekeys=include_machinekeys):
             derivedKey, derivedIV = self.telerik_derivekeys(ekey, key_derive_mode)
             ct = self.telerik_encrypt(derivedKey, derivedIV, dp_enc)
             h = hmac.new(hash_key.encode(), ct.encode(), self.hash_algs["SHA256"])

badsecrets/modules/telerik_encryptionkey.py

@@ -66,10 +66,10 @@ def get_hashcat_commands(self, dialogParameters_raw, *args):
             }
         ]
 
-    def hashkey_probe_generator(self, include_machinekeys=False):
+    def hashkey_probe_generator(self, include_machinekeys=False, custom_keys=None):
         test_string = b"EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmk4dUx3PT0sZmk4dUx3PT0=;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmk4dUx3PT0sZmk4dUx3PT0=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmk4dUx3PT0sZmk4dUx3PT0=;IsSkinTouch,False,3,False;ScriptManagerProperties,False,0,CgoKCkZhbHNlCjAKCgoK;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,VGVsZXJpay5XZWIuVUkuRWRpdG9yLkRpYWxvZ0NvbnRyb2xzLkRvY3VtZW50TWFuYWdlckRpYWxvZywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxOC4xLjExNy40NSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0;AllowMultipleSelection,False,3,False"
         dp_enc = base64.b64encode(test_string)
-        for vkey in self.prepare_keylist(include_machinekeys=include_machinekeys):
+        for vkey in custom_keys if custom_keys else self.prepare_keylist(include_machinekeys=include_machinekeys):
             h = hmac.new(vkey.encode(), dp_enc, self.hash_algs["SHA256"])
             yield (f"{dp_enc.decode()}{base64.b64encode(h.digest()).decode()}", vkey)