The vulnerability chain involving CVE-2024-4358 and CVE-2024-1800 provides a high-criticality exploit path for achieving unauthenticated Remote Code Execution (RCE) on Progress Telerik Report Server instances. By leveraging a logic flaw in the authentication mechanism (CVE-2024-4358), an attacker can bypass traditional security controls to create a rogue administrative account. Once administrative access is obtained, the attacker can exploit an insecure deserialization vulnerability (CVE-2024-1800) within the report processing engine to execute arbitrary code in the context of the service account. This combination bypasses the intended security boundary where administrative privileges are required to modify report definitions, effectively turning a post-authentication RCE into an unauthenticated pre-authentication compromise.
Analysis of CVE-2024-4358: Authentication Bypass
CVE-2024-4358 is a critical authentication bypass vulnerability residing in the StartupController of the Telerik Report Server. The application implements a setup wizard intended for first-time installation, accessible via the /Startup/ route. Under normal operating conditions, this route should be disabled or protected once the initial configuration is complete. However, in affected versions, the logic used to verify if the server is "already configured" is flawed, allowing remote attackers to access the registration page and create a new administrator user without providing any existing credentials.
The vulnerability is rooted in the Telerik.ReportServer.Web.Controllers.StartupController class. During the initialization check, the application queries the underlying data store to determine if any administrative users exist. If the application logic fails to properly lock this endpoint after the first run, or if it can be tricked into a "re-installation" state, the /Startup/Register endpoint becomes accessible. An attacker can perform a POST request to this endpoint with a payload containing new administrator credentials, which the server will process and persist, granting the attacker full control over the reporting environment.
Affected Versions and Impact
| CVE ID | Vulnerability Type | Affected Versions | CVSS Score |
|---|---|---|---|
| CVE-2024-4358 | Authentication Bypass | Prior to 10.1.24.709 | 9.8 (Critical) |
| CVE-2024-1800 | Insecure Deserialization | Prior to 10.1.24.514 | 8.8 (High) |
Reconnaissance and Discovery
Identifying vulnerable Telerik Report Server instances often begins with scanning for default web paths and specific response headers. Attackers use tools like Zondex to discover internet-facing services that expose the /ReportServer or /Startup/Index paths. Probing the /Startup/Index endpoint specifically helps determine if the instance is susceptible to CVE-2024-4358; a 200 OK response with the setup wizard UI indicates a high likelihood of vulnerability.
During the research phase, it is common to utilize GProxy to route traffic through various geographic locations to bypass IP-based rate limiting or geo-fencing implemented by defensive layers. This ensures that the fingerprinting of the target application's version and configuration remains consistent across different network perspectives.
Analysis of CVE-2024-1800: Insecure Deserialization
CVE-2024-1800 is an insecure deserialization vulnerability within the Telerik Reporting engine used by the Report Server. The reporting engine allows users to define ObjectDataSource components, which facilitate the binding of report data to .NET objects. When the Report Server processes a report definition (.trdp or .trdx file), it deserializes the data source configuration. If the configuration includes an ObjectDataSource, the server attempts to resolve the type and call the specified member to retrieve data.
The vulnerability arises because the application does not sufficiently restrict the types that can be instantiated or the methods that can be invoked during this process. In a .NET environment, insecure deserialization can be exploited using gadget chains—sequences of existing code that, when executed in a specific order during deserialization, result in arbitrary command execution. Common gadgets used in this context include System.Windows.Data.ObjectDataProvider or System.Configuration.Install.AssemblyInstaller.
Technical Execution of the Chain
The exploitation process follows a structured sequence where the first vulnerability facilitates the prerequisites for the second. The following steps outline the technical workflow of the attack:
- Step 1: Administrator Creation: The attacker sends a
POSTrequest to/Startup/Register. The payload typically includes the username, password, and email for the new administrator account. - Step 2: Authentication: The attacker authenticates using the newly created credentials via the
/Tokenendpoint or the web-based login form to receive a session cookie or bearer token. - Step 3: Payload Preparation: Using a tool like
ysoserial.net, the attacker generates a serialized .NET gadget chain designed to execute a system command (e.g.,cmd.exe /c calc.exeor a reverse shell). - Step 4: Report Definition Modification: The attacker crafts a malicious
.trdp(XML-based) or.trdxreport definition file. Inside this file, theObjectDataSourceis modified to point to a malicious class or to trigger the deserialization of the gadget chain. - Step 5: Execution: The attacker uploads the malicious report to the server via the Administrative Dashboard and triggers a "Preview" or "Render" action. The server-side reporting engine processes the file, deserializes the malicious payload, and executes the embedded command.
Exploitation Code Snippet (CVE-2024-4358 Bypass)
The following curl command demonstrates the initial stage of the attack, targeting the authentication bypass to register an administrative user:
curl -X POST "https://target-report-server.com/Startup/Register" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "Username=attacker_admin&Password=ComplexPassword123!&ConfirmPassword=ComplexPassword123!&Email=admin@attacker.com"
If successful, the server responds with a redirect or a success message, and the attacker_admin account is now persisted in the local database with full privileges.
RCE via ObjectDataSource Deserialization
Once administrative access is confirmed, the focus shifts to CVE-2024-1800. The reporting engine's ObjectDataSource property TypeName and DataMember are the primary vectors. A malicious report definition might contain an XML structure similar to the following:
<ObjectDataSource Name="ExploitSource">
<DataSource>
<TypeName>System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</TypeName>
<DataMember>Start</DataMember>
<Parameters>
<ObjectDataSourceParameter Name="fileName" Type="System.String" Value="cmd.exe" />
<ObjectDataSourceParameter Name="arguments" Type="System.String" Value="/c whoami > c:\windows\temp\pwned.txt" />
</Parameters>
</DataSource>
</ObjectDataSource>
When the report is rendered, the Telerik Reporting engine uses reflection to instantiate System.Diagnostics.Process and invoke the Start method with the provided parameters. While newer versions implement a "Type Whitelist" or "Allowed Types" restriction, CVE-2024-1800 identifies a bypass or a lack of enforcement in the specific context of the Report Server's handling of these objects.
Detection and Remediation
Defending against this chain requires a multi-layered approach. Organizations should immediately update Telerik Report Server to version 10.1.24.709 or later. This update addresses the logic flaw in the StartupController and hardens the ObjectDataSource against unauthorized type instantiation.
Security teams can use Secably to perform automated vulnerability scanning across their infrastructure to identify unpatched Telerik instances. It is also recommended to monitor web server logs for unexpected access to the /Startup/ directory, especially on systems that have already been configured.
Indicators of Compromise (IoCs)
- Unexpected Logins: Look for new administrative accounts in the
Telerik.ReportServerdatabase or audit logs that were not created by authorized personnel. - Log Entries: HTTP
POSTrequests to/Startup/Registeron a production system. - File Creation: Presence of suspicious
.trdpor.trdxfiles in the report storage directory (oftenC:\ProgramData\Telerik\ReportServer). - Process Activity: Child processes of the IIS worker process (
w3wp.exe) spawningcmd.exe,powershell.exe, or unexpected network connections.
To further mitigate the risk of deserialization attacks, the <Telerik.Reporting> configuration section in web.config should be audited to ensure that typeResolvers are restricted. Implementing the IJobTypeResolver interface can help explicitly whitelist only the business objects required for legitimate reporting functionality, thereby neutralizing the gadget chains used in CVE-2024-1800.