Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-9248 #151

Merged
merged 3 commits into from
Nov 30, 2023
Merged

CVE-2017-9248 #151

merged 3 commits into from
Nov 30, 2023
+15 −0

Conversation

2009panda
Copy link
Contributor

Add bcheck for CVE-2017-9248, It looks for telerik version code numbers e.g. 2015.2.623 in responses, and if it finds one, creates an issue.

@2009panda
CVE-2017-9248
63fbe78 
Add bcheck for CVE-2017-9248, It looks for telerik version code numbers e.g. 2015.2.623 in responses, and if it finds one, creates an issue.
Passive bcheck.
@PortSwiggerWiener
Copy link
Collaborator

Thanks for your submission. Looks like an interesting idea.

Is there something unique to Telerik UI that we can also look for within the response in order to minimize the chance of this raising false positives?

@2009panda
Copy link
Contributor Author

Hi, the two ways I've found to enumerate Telerik UI version is to look for html comments containing the version number, such as follows
image

and from script tags in responses where Telerik UI javascript is loaded.
image

The problem is, not always both are present, so by checking only for version number (as is done in the bcheck) instead of Version%3d{version_number}, it should cover both scenarios.

@PortSwiggerWiener
Copy link
Collaborator

Excellent. So one options would be to generalize your checking to include either of these, but as you said, you may miss some scenarios. Perhaps a better option would be to look for something unrelated to the version that is specific to Telerik. So the logic would be something like:

if ((<some test to fingerprint Telerik UI>) and ("2007.1423" in {latest.response.body} or "2007.1521" in {latest.response.body} ... or "2017.1.118" in {latest.response.body})) then

@2009panda
Update CVE-2017-9248_TelerikUI_Encryption_Keys_Disclosure.bcheck
5950034 
added check for the presence of "Telerik.Web.UI.WebResource.axd" which will reduce the risk of raising false positives, as it the enpoint that Telerik UI uses to load javascript files
@2009panda
Update CVE-2017-9248_TelerikUI_Encryption_Keys_Disclosure.bcheck
54d1559 
parenthesis usage correction
@2009panda
Copy link
Contributor Author

Excellent. So one options would be to generalize your checking to include either of these, but as you said, you may miss some scenarios. Perhaps a better option would be to look for something unrelated to the version that is specific to Telerik. So the logic would be something like:

if ((<some test to fingerprint Telerik UI>) and ("2007.1423" in {latest.response.body} or "2007.1521" in {latest.response.body} ... or "2017.1.118" in {latest.response.body})) then

Thanks for the input, i added a check for the presence of "Telerik.Web.UI.WebResource.axd", which should eliminate the risk of raising false positives, it now looks like this

if (("Telerik.Web.UI.WebResource.axd" in {latest.response.body}) and ("2007.1423" in {latest.response.body} or "2007.1521" in {latest.response.body} ... or "2017.1.118" in {latest.response.body})) then

PortSwiggerWiener
PortSwiggerWiener approved these changes Nov 30, 2023
View reviewed changes
Copy link
Collaborator

@PortSwiggerWiener PortSwiggerWiener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for tightening up the logic and your patience! 👍

Michelle-PortSwigger
Michelle-PortSwigger approved these changes Nov 30, 2023
View reviewed changes
Copy link
Contributor

@Michelle-PortSwigger Michelle-PortSwigger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thanks for the updates :)

@Michelle-PortSwigger Michelle-PortSwigger merged commit d67ae8e into PortSwigger:main Nov 30, 2023
@michael-eaton-portswigger
Copy link

@2009panda As a contributor to our GitHub repository, we would like to invite you to our closed Discord community.

It is a place where passionate Burp users, including people who directly work on building and developing Burp here at PortSwigger, can talk about the tooling and web security in general.

If you would like to join, please email us at support@portswigger.net and we will send over an invite link.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Michelle-PortSwigger Michelle-PortSwigger

@PortSwiggerWiener PortSwiggerWiener

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@2009panda @PortSwiggerWiener @michael-eaton-portswigger @Michelle-PortSwigger