Full Report
ASP.NET HttpHandlers are interesting components of a .NET web application when performing security assessments, mainly due to the fact they are the most exposed part of the application processing client requests in HttpContext level and at the same time, not yet part of the official ASP.NET framework. As a result, data validation vulnerabilities in custom HttpHandlers can be exploited far easier than issues on the inner layer components. However, they are mostly overlooked during the web application tests for two reasons:
Analysis Summary
# Vulnerability: Data Validation Flaw in Telerik ASP.NET UI Control HttpHandler Leading to Arbitrary File Download/Deletion
## CVE Details
- CVE ID: N/A (Note: The article implies a known issue fixed in 2012/3 but does not explicitly cite a CVE identifier for the specific flaw described against Telerik.)
- CVSS Score: N/A
- CWE: CWE-20 (Improper Input Validation) / CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) - Based on file download/deletion capability.
## Affected Systems
- Products: Telerik ASP.NET UI Controls (specifically components utilizing the Charting feature).
- Versions: All versions up to and including 2011.2.915.35.
- Configurations: Applications using the Telerik UI Control components in a configuration that registers the associated custom HttpHandler (`ChartImage.axd`).
## Vulnerability Description
The vulnerability resides within the custom HttpHandler (`ChartImage.axd`) registered by the Telerik Web UI Control charting feature. This handler is responsible for processing cached chart images via a GET request: `http://site/ChartImage.axd?useSession=false&imageFormat=image/png&ImageName=[base64 encoded value]`.
While the `ImageName` parameter is theoretically encrypted using AES to prevent tampering, the AES encryption key and Initialization Vector (IV) are hardcoded and embedded directly within the application's assembly (`Telerik.Web.UI.dll`). An attacker can reverse-engineer these cryptographic details, allowing them to construct malicious requests to bypass validation and instruct the handler to download arbitrary files from the web server, subject to the permissions of the application's pool identity. Furthermore, the handler deletes the target file after it has been downloaded, suggesting a denial-of-service or file manipulation capability beyond simple leakage.
## Exploitation
- Status: PoC available (The author created a proof of concept, linked in the original article).
- Complexity: Medium (Requires reverse engineering to extract hardcoded encryption keys/IV, but straightforward once keys are known).
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary file download capability).
- Integrity: High (Ability to delete files from the server after download).
- Availability: Potential (Local file deletion could impact application functionality).
## Remediation
### Patches
- Vendor fix released around 2012/3.
- **Action Required:** Replace the `Telerik.Web.UI.dll` with the latest version available after the 2011.2.915.35 release cycle or subsequent patch incorporating the fix.
### Workarounds
- Restrict access to the `ChartImage.axd` endpoint if patching is immediately infeasible, though this may impact chart rendering functionality.
- Monitor for the handler accessing sensitive file path structures.
## Detection
- Indicators of compromise: Unusual file access patterns or file deletion events originating from the web application process account, particularly coinciding with requests to `ChartImage.axd`.
- Detection methods and tools: Static analysis of `Telerik.Web.UI.dll` version; Dynamic Web Application Security Testing (DAST) tools should specifically test request parameters for the `ChartImage.axd` handler for path traversal or file system interactions.
## References
- Vendor advisories: Implied vendor fix dated around 2012/3 for Telerik UI Controls.
- Relevant links - defanged:
- SensePost Article: hXXps://sensepost.com/blog/2012/12/13/dangers-of-custom-asp-net-httphandlers/
- PoC Download referenced: hXXps://introonet.sensepost.com/blog/wp-content/uploads/2012/12/telerik.zip