/claim #14278

PR Information

This submission adds a comprehensive, fully validated Nuclei template for CVE-2019-18935, a critical .NET deserialization vulnerability in Telerik UI for ASP.NET AJAX that has been actively exploited in the wild and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

• Added CVE-2019-18935 - Telerik UI for ASP.NET AJAX RadAsyncUpload Deserialization RCE
• CVSS Score: 9.8 (Critical)
• EPSS Score: 97.5% (extremely high exploitation likelihood)
• Real-World Impact: Actively exploited by APT groups against US federal agencies

References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-18935
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
• https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui
• https://github.com/noperator/CVE-2019-18935
• https://www.bleepingcomputer.com/news/security/cisa-telerik-bug-exploited-to-breach-us-federal-agency/

Template validation

This template implements a multi-stage detection methodology with complete POC validation (not just version detection):

Detection Stages:

1. Handler Discovery - Confirms RadAsyncUpload handler exists
2. Version Enumeration - Extracts exact Telerik version from error disclosure
3. Exploitation Proof - Tests deserialization processing with malformed payload

All three stages must succeed (AND condition) for vulnerability confirmation.

• Validated with a host running a vulnerable version and/or configuration (True Positive)

  • Tested against Docker lab environment with Telerik 2017.2.503
  • Tested against known vulnerable CTF machines
  • Confirmed deserialization processing with exploit payloads

• Validated with a host running a patched version and/or configuration (avoid False Positive)

  • Tested against Telerik 2019.3.1023+ (patched versions)
  • Tested against non-Telerik ASP.NET applications
  • Zero false positives in testing

Additional Details

Complete Repository: https://github.com/alanbarret/CVE-2019-18935

This submission includes:

• ✅ Complete Nuclei template with multi-stage POC
• ✅ Docker vulnerable environment for testing
• ✅ Python validation scripts (version detection + exploitation POC)
• ✅ Comprehensive testing methodology documentation
• ✅ Debug output examples and logs
• ✅ Setup instructions and troubleshooting guide

Quick Setup:

# Clone repository
git clone git@github.com:alanbarret/CVE-2019-18935.git
cd CVE-2019-18935

# Create Python virtual environment
python3 -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

# Test template against vulnerable Docker environment
cd docker-environment

# Note: You must obtain Telerik.Web.UI.dll separately (licensing restrictions)
# See docker-environment/README.md for instructions

# Build and run vulnerable environment
docker-compose up -d

# Run Nuclei template
cd ..
nuclei -t nuclei-template/cves/2019/CVE-2019-18935.yaml \
       -u http://localhost:8080 \
       -debug -v

Docker Environment Setup:

The repository includes a complete vulnerable test environment:

# Navigate to Docker environment
cd docker-environment

# Obtain Telerik.Web.UI.dll (v2017.2.503 or any version 2011.1.315-2019.3.1023)
# Place DLL in this directory
# See docker-environment/README.md for download instructions

# Build and start vulnerable environment
docker-compose build
docker-compose up -d

# Verify endpoint is accessible
curl http://localhost:8080/Telerik.Web.UI.WebResource.axd?type=rau

# Expected response: "RadAsyncUpload handler is registered succesfully"

Testing with Validation Scripts:

# Activate virtual environment
source venv/bin/activate

# Version detection
python3 scripts/telerik_version_detect.py http://localhost:8080

# Exploitation POC
python3 scripts/telerik_exploit_poc.py http://localhost:8080/Telerik.Web.UI.WebResource.axd?type=rau

Nuclei Debug Output:

# Run with full debug output
nuclei -t nuclei-template/cves/2019/CVE-2019-18935.yaml \
       -u http://localhost:8080 \
       -debug -verbose \
       2>&1 | tee debug-output.log

# Expected output:
[CVE-2019-18935] [http] [critical] http://localhost:8080/Telerik.Web.UI.WebResource.axd

[EXTRACTED]
telerik_version: 2017.2.503.40
detection_stage: Handler detected in request 1, Version in request 2, Deserialization in request 3
error_details: Exception at Telerik.Web.UI...

Why This Template is Different:

Most Telerik templates only check for version disclosure. This template goes further by:

• ✅ Testing actual deserialization processing (not just version checking)
• ✅ Using multi-stage AND conditions to minimize false positives
• ✅ Extracting detailed diagnostic information
• ✅ Including complete validation scripts and vulnerable environment
• ✅ Providing comprehensive testing methodology

Security Note:

This template is tagged as intrusive because it:

• Sends exploit-like payloads to test deserialization
• Triggers intentional error conditions
• May be detected by security monitoring systems

Only use with explicit authorization on systems you own or have permission to test.

Shodan/Fofa Queries:

# Shodan
http.title:"Telerik" OR http.component:"Telerik UI"

# Fofa
app="Progress-Telerik-UI"

# Google Dork
inurl:Telerik.Web.UI.WebResource.axd

Repository Structure:

CVE-2019-18935/
├── nuclei-template/
│   └── cves/2019/CVE-2019-18935.yaml    # Main template
├── docker-environment/                   # Vulnerable test environment
│   ├── Dockerfile
│   ├── docker-compose.yml
│   ├── Default.aspx
│   └── web.config
├── scripts/                              # Validation scripts
│   ├── RAU_crypto.py                    # Encryption helper
│   ├── telerik_version_detect.py        # Version detection
│   └── telerik_exploit_poc.py           # POC validation
├── documentation/
│   ├── METHODOLOGY.md                   # Technical methodology
│   └── TESTING.md                       # Testing guide
├── requirements.txt                      # Python dependencies
└── README.md                            # Complete documentation

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

Author Notes:

This template was created with extensive research and testing to ensure:

• Zero false positives through multi-stage validation
• Complete POC implementation beyond simple version detection
• Reproducible testing with included Docker environment
• Comprehensive documentation for methodology and usage

The vulnerability has significant real-world impact (CISA KEV, APT exploitation) and this template provides reliable detection for security teams.

Submission Status: Ready for review ✅