CVE-2015-2794
published 2017-02-06CVE-2015-2794: The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.55%
99.4th percentile
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | <= 07.04.00 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /Install/InstallWizard.aspx with __VIEWSTATE parameter indicates exploitation attempt; response body containing both 'Administrative Information' and 'Database Information' confirms the wizard is accessible to unauthenticated users. ↗
- →Exploitation with default DNN SQL configuration creates a SuperUser account with username 'host' and password 'dnnhost' via the executeinstall query parameter. ↗
- →Monitor for unauthenticated GET/POST requests to /Install/InstallWizard.aspx on DotNetNuke installations; the presence of query parameters __VIEWSTATE= and/or executeinstall is a strong indicator of exploitation. ↗
- →FOFA/Shodan fingerprint queries 'app="DotNetNuke"' can be used to identify exposed DNN instances for proactive scanning. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
The installation wizard in DotNetNuke (DNN) allows privilege escalation
ghsa·2018-10-16
CVE-2015-2794 [CRITICAL] The installation wizard in DotNetNuke (DNN) allows privilege escalation
The installation wizard in DotNetNuke (DNN) allows privilege escalation
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
OSV
The installation wizard in DotNetNuke (DNN) allows privilege escalation
osv·2018-10-16
CVE-2015-2794 [CRITICAL] The installation wizard in DotNetNuke (DNN) allows privilege escalation
The installation wizard in DotNetNuke (DNN) allows privilege escalation
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
No detection rules found.
Exploit-DB
DotNetNuke 07.04.00 - Administration Authentication Bypass
exploitdb·2016-05-06·CVSS 9.8
CVE-2015-2794 [CRITICAL] DotNetNuke 07.04.00 - Administration Authentication Bypass
DotNetNuke 07.04.00 - Administration Authentication Bypass
---
# Exploit Title: DotNetNuke 07.04.00 Administration Authentication Bypass
# Date: 06-05-2016
# Exploit Author: Marios Nicolaides
# Vendor Homepage: http://www.dnnsoftware.com/
# Software Link: https://dotnetnuke.codeplex.com/releases/view/611324
# Version: 07.04.00
# Tested on: Microsoft Windows 7 Professional (64-bit)
# Contact: [email protected]
# CVE: CVE-2015-2794
# Category: webapps
1. Description
DotNetNuke 07.04.00 does not prevent anonymous users from accessing the installation wizard, as a result a remote attacker
can 'reinstall' DNN and get unauthorised access as a SuperUser.
Previous versions of DotNetNuke may also be affected.
2. Proof of Concept
The exploit can be demonstrated as follows:
If th
Nuclei
DotNetNuke 07.04.00 - Administration Authentication Bypass
nuclei·CVSS 9.8
CVE-2015-2794 [CRITICAL] DotNetNuke 07.04.00 - Administration Authentication Bypass
DotNetNuke 07.04.00 - Administration Authentication Bypass
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
Template:
id: CVE-2015-2794
info:
name: DotNetNuke 07.04.00 - Administration Authentication Bypass
author: 0xr2r
severity: critical
description: |
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
impact: |
Attackers can reinstall the application and escalate privileges to SuperUser, leading to full control over the system.
remediation: |
Update to version 7.4.1 or later to fix the vulnerability.
reference:
No writeups or analysis indexed.
http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issuehttp://www.dnnsoftware.com/community/security/security-centerhttp://www.securityfocus.com/bid/96373https://dotnetnuke.codeplex.com/releases/view/615317https://www.exploit-db.com/exploits/39777/http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issuehttp://www.dnnsoftware.com/community/security/security-centerhttp://www.securityfocus.com/bid/96373https://dotnetnuke.codeplex.com/releases/view/615317https://www.exploit-db.com/exploits/39777/
2017-02-06
Published