
Remote shell loaded by w3wp.exe IIS worker process leading to recon commands | Source: TRU
The eSentire Threat Response Unit (TRU) has reported that threat actors are actively exploiting a six-year-old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.
This vulnerability allows attackers to upload and execute malicious files on vulnerable servers, enabling them to gain remote access and escalate privileges. TRU observed attackers using a customized proof-of-concept exploit to deliver reverse shells and the JuicyPotatoNG privilege escalation tool.
“TRU observed threat actor(s) using the w3wp.exe (IIS worker process) to load a reverse shell and run follow up commands for reconnaissance through cmd.exe,” the report states.
The attack begins with the threat actor sending a request to the IIS server to check if the file upload handler is available. If the handler is available and the software version is vulnerable, the attacker uploads a reverse shell disguised as a DLL file. This reverse shell connects to a command-and-control server, allowing the attacker to execute commands remotely.
Once the reverse shell is established, the attacker can execute various commands to gather information about the system and escalate privileges. In this case, TRU observed attackers using JuicyPotatoNG, an open-source tool that exploits a vulnerability in Windows to elevate privileges to SYSTEM level.
This report highlights the importance of patching known vulnerabilities, even those that are several years old. Organizations using Progress Telerik UI for ASP.NET AJAX should update to the latest version to mitigate the risk of this vulnerability.