Vulnerabilities > CVE-2017-9822 - Unspecified vulnerability in Dnnsoftware Dotnetnuke

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
dnnsoftware
nessus
exploit available
metasploit
NVD
Published: 2017-07-20
Updated: 2024-07-24

Summary

DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

Vulnerable Configurations

Part Description Count
Application
Dnnsoftware
84

Exploit-Db

idEDB-ID:48336
last seen2020-04-16
modified2020-04-16
published2020-04-16
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/48336
titleDotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)

Metasploit

descriptionThis module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
idMSF:EXPLOIT/WINDOWS/HTTP/DNN_COOKIE_DESERIALIZATION_RCE
last seen2020-06-12
modified2020-04-15
published2019-07-15
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb
titleDotNetNuke Cookie Deserialization Remote Code Excecution

Nessus

NASL familyCGI abuses
NASL idDOTNETNUKE_9_1_1.NASL
descriptionThe version of DNN Platform (formerly DotNetNuke) running on the remote host is 5.2.0 or later but prior to 9.1.1. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists due to insecure use of web cookies to identify users. An unauthenticated, remote attacker can exploit this, by impersonating a user and uploading malicious code to the server, to execute arbitrary code. This vulnerability affects all versions from 7.0.0 to 9.1.0. - A flaw exists due to an overly permissive HTML5 message posting policy when handling cross-document messaging. An unauthenticated, remote attacker can exploit this to conduct a spoofing attack or to disclose sensitive information. This vulnerability affects all versions from 8.0.0 to 9.1.0. - A cross-site redirection vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to redirect users to a website of the attacker
last seen2020-06-01
modified2020-06-02
plugin id101397
published2017-07-12
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/101397
titleDNN (DotNetNuke) 5.2.0 < 9.1.1 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101397);
  script_version("1.10");
  script_cvs_date("Date: 2019/12/06");

  script_cve_id("CVE-2017-9822");

  script_name(english:"DNN (DotNetNuke) 5.2.0 < 9.1.1 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of DNN.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP.NET application that is affected
by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of DNN Platform (formerly DotNetNuke) running on the
remote host is 5.2.0 or later but prior to 9.1.1. It is, therefore,
affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists due to
    insecure use of web cookies to identify users. An
    unauthenticated, remote attacker can exploit this, by
    impersonating a user and uploading malicious code to the
    server, to execute arbitrary code. This vulnerability
    affects all versions from 7.0.0 to 9.1.0.

  - A flaw exists due to an overly permissive HTML5 message
    posting policy when handling cross-document messaging.
    An unauthenticated, remote attacker can exploit this to
    conduct a spoofing attack or to disclose sensitive
    information. This vulnerability affects all versions
    from 8.0.0 to 9.1.0.

  - A cross-site redirection vulnerability exists due to
    improper validation of user-supplied input before
    returning it to users. An unauthenticated, remote
    attacker can exploit this, by convincing a user to
    follow a specially crafted link, to redirect users to a
    website of the attacker's choosing. This vulnerability
    affects all versions from 7.0.0 to 9.1.0.

  - A remote code execution vulnerability exists due to a
    failure to properly validate file types and extensions
    for uploaded files before placing them in a
    user-accessible path. An authenticated, remote attacker
    can exploit this to execute arbitrary code with the
    privileges of the web service. This vulnerability
    affects all versions from 5.2.0 to 9.1.0.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://www.dnnsoftware.com/community-blog/cid/155437/dnn-911-security-bulletin-released
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a950f08f");
  script_set_attribute(attribute:"see_also", value:"https://www.dnnsoftware.com/community/security/security-center");
  # https://www.f5.com/labs/articles/threat-intelligence/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1d53b62d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to DNN Platform version 9.1.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9822");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:dotnetnuke:dotnetnuke");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("dotnetnuke_detect.nasl");
  script_require_keys("installed_sw/DNN");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("http.inc");
include("vcf.inc");

app = "DNN";

get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, asp:TRUE);

app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
      {"min_version" : "5.2.0", "fixed_version" : "9.1.1" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/157080/dnn_cookie_deserialization_rce.rb.txt
idPACKETSTORM:157080
last seen2020-04-03
published2020-04-03
reporterJon Park
sourcehttps://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html
titleDotNetNuke Cookie Deserialization Remote Code Execution

Seebug

bulletinFamilyexploit
description### 0x00 background description DNN uses web cookies to identify users. A malicioususer can decode one of such cookies and identify who that user is, and possiblyimpersonate other users and even upload malicious code to the server. \--DNNsecurity-center 2017 7 November 5, DNN security sector released a number CVE-2017-9822 serious vulnerability, then the vulnerability report by Alvaro Muñoz (@pwntester)and OleksandrMirosh in BlackHat USA 2017 disclose some of the details. 360CERT follow-up analysis of the vulnerability and its in the. net use the XmlSerializer for serialization/deserialization of the attack the use of scenarios, identified as a serious vulnerability. ### 0x01 vulnerability overview DNNPersonalization is a DNN is used to store the logged in user of the personal data of the Cookie, the Cookie can be attacker to modify in order to achieve the server arbitrary file upload, remote code execution and other attacks. ### 0x02 vulnerability overview * Affect * Vulnerability rating: Critical * Allegedly, the world has more than 75 million users in using DNN to build their website, the scope of impact is large. * Impact version From 5. 0. 0 to 9. 1. 0 all version * Fix version DNN Platform 9.1.1 and EVOQ 9.1.1 ### 0x03 vulnerability details DNNPersonalization is a DNN is used to store the logged in user of the personal data of the Cookie, the Cookie can be attacker to modify in order to achieve the server arbitrary file upload, remote code execution and other attacks. #### 1\. Vulnerability code PersonalizationController. cs66-72 line: ![](https://images.seebug.org/1501726617185) From Cookie get to DNNPersonalization value and then passed to the Globals in the DeserializeHashTableXml method. Globals. cs 3687-3690 line: ![](https://images.seebug.org/1501726660263) Then follow up XmlUtils of DeSerializeHashtable method. XmlUtils. cs 184-218 line: ![](https://images.seebug.org/1501726692526) This method will use the item in the element type property value to set type, and in 208 rows where the element content is deserialized, here is the vulnerability of the trigger point. Vulnerability in the code from the touch input point to the final can take advantage of this process is quite intuitive, the next is for like this using the XmlSerializer to deserialize the vulnerability point for an attack using the analysis. ### 0x04 attacks the use of analysis #### 1\. The XmlSerializer the use of ![](https://images.seebug.org/1501726735223) When a class is serialized or deserialized when they are required to pass the class type information. To see the generated sequence of data in the form of: ![](https://images.seebug.org/1501726755580) Is an XML document, the class name and member variables are the elements to represent. #### 2\. The use of chain structure Modify the top of the TestClass class, which member variables of the test package. ![](https://images.seebug.org/1501726792120) This time and then to observe the code in the deserialization of the output, you can clearly know the setter is called automatically, so the setter can be as the use of the chain of the first step. The next step is to go find some can be used as an attack class. System. Windows. Data. ObjectDataProvider can call any of the run-time of the referenced class of any method. An example: ![](https://images.seebug.org/1501726849830) Quite in tune with the TestClass. FuncExample(“JustATest!”) , The ObjectDataProvider in the member variables are encapsulated, and each time you call the setter after the detection parameters are sufficient, enough the words will automatically go to the call incoming of the method. Wherein the process of borrowing BlackHat topics in a map to show. ![](https://images.seebug.org/1501726870467) Thus if serialization is an ObjectDataProvider class, then in the reverse sequence you can do any method calls to effect. Then find a the presence of can achieve the desired use of the effect of the method of the class on the line, such as DNN in there that one can do arbitrary file upload effect class, DotNetNuke. Common. Utilities. FileSystemUtils in the PullFile method: ![](https://images.seebug.org/1501726893082) #### 3\. Payload generation To generate the payload there is a little problem need to solve, is the ObjectDataProvider that contains a System. Object member variables objectInstance, of the time of execution of the XmlSerializer don't know this variable is of specific type, resulting in no serialization. But this problem can be through the use of ExpandedWrapper the extended attribute type to solve. ![](https://images.seebug.org/1501726915616) Generated content as follows: ![](https://images.seebug.org/1501726955498) DNN is by acquiring the item of property the value type, then call Type. The GetType to get the serialization of the data type and then performs deserialization. So need to add the corresponding Assembly name, you can use the following code to get the type of the value: ![](https://images.seebug.org/1501726993083) ![](https://images.seebug.org/1501727002827) Conjunction with the DNN code to generate the final Payload: ![](https://images.seebug.org/1501727022918) ### 0x05 exploit verification The vulnerability is triggered to the point where the DeSerializeHashtable function on a local to do an exploit validation. ![](https://images.seebug.org/1501727055112) Then look at the server side, you can see the exploit is successful. ![](https://images.seebug.org/1501727076976)
idSSV:96326
last seen2017-11-19
modified2017-08-03
published2017-08-03
reporterRoot
titleDotNetNuke arbitrary code execution vulnerability(CVE-2017-9822)

References