Rapid7 Vulnerability & Exploit Database

DotNetNuke Cookie Deserialization Remote Code Excecution

Back to Search

DotNetNuke Cookie Deserialization Remote Code Excecution

Disclosed
07/20/2017
Created
04/02/2020

Description

This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.

Author(s)

  • Jon Park
  • Jon Seigel

Platform

Windows

Architectures

x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/dnn_cookie_deserialization_rce
msf exploit(dnn_cookie_deserialization_rce) > show targets
    ...targets...
msf exploit(dnn_cookie_deserialization_rce) > set TARGET < target-id >
msf exploit(dnn_cookie_deserialization_rce) > show options
    ...show and set options...
msf exploit(dnn_cookie_deserialization_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;