CVE-2017-9822
published 2017-07-20CVE-2017-9822: DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
PriorityP196high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
94.79%
99.8th percentile
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | < 9.1.1 | 9.1.1 |
| dotnetnuke | dotnetnuke_cms_fixed_in_9.1.1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2017-9822 is exploited via a malicious cookie in HTTP requests sent to DNN (DotNetNuke) servers; monitor for anomalous or oversized cookie values in inbound HTTP traffic to DNN endpoints. ↗
- →Exploit delivery uses multiple layers of obfuscated code in HTTP request bodies; inspect HTTP requests to DNN servers for encoded/obfuscated scripting payloads. ↗
- →Post-exploitation activity includes outbound HTTP connections to eeme7j[.]win to download Monero miner payloads (mule.exe for Windows, mule for Linux); alert on any outbound connections to this domain. ↗
- →Both Windows and Linux web servers are targeted; look for execution of PowerShell scripts (scv.ps1) or shell scripts (larva.sh) spawned from web server processes as indicators of compromise. ↗
- ·The exploit vector is specifically the DNN cookie deserialization mechanism; only DNN (DotNetNuke) installations prior to version 9.1.1 are vulnerable. ↗
- ·The malicious domain eeme7j[.]win and associated payload URLs were observed in a campaign active from mid-December 2017; infrastructure may have changed since then. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
DNN (aka DotNetNuke) has Remote Code Execution via a cookie
ghsa·2018-10-16
CVE-2017-9822 [HIGH] CWE-20 DNN (aka DotNetNuke) has Remote Code Execution via a cookie
DNN (aka DotNetNuke) has Remote Code Execution via a cookie
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
OSV
DNN (aka DotNetNuke) has Remote Code Execution via a cookie
osv·2018-10-16
CVE-2017-9822 [HIGH] DNN (aka DotNetNuke) has Remote Code Execution via a cookie
DNN (aka DotNetNuke) has Remote Code Execution via a cookie
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
VulnCheck
DotNetNuke (DNN) Remote Code Execution Vulnerability
vulncheck·2017·CVSS 8.8
CVE-2017-9822 [HIGH] CWE-20 DotNetNuke (DNN) Remote Code Execution Vulnerability
DotNetNuke (DNN) Remote Code Execution Vulnerability
DotNetNuke (DNN) contains a vulnerability that may allow for remote code execution via cookie deserialization.
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.tenable.com/blog/daisy-chaining-how-vulnerabilities-can-be-greater-than-the-sum-of-their-parts; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.greynoise.io/blog/battling-ransomware-one-tag-at-a-time
Exploit PoC: https://vulncheck.com/xdb/4b5fa5369011; https://vulncheck.com/xdb/c7e83c0cb80f; https://vulncheck.com/xdb/764d03ba604d
Remediation Due: 2022-05-03
CISA
DotNetNuke (DNN) Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2017-9822 [HIGH] CWE-20 DotNetNuke (DNN) Remote Code Execution Vulnerability
Vulnerability: DotNetNuke (DNN) Remote Code Execution Vulnerability
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
DotNetNuke (DNN) contains a vulnerability that may allow for remote code execution via cookie deserialization.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-9822
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
suricata·2021-11-01·CVSS 7.5
CVE-2017-9822 [HIGH] ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Ser
Suricata
ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)
suricata·2018-04-27·CVSS 8.8
CVE-2017-9822 [HIGH] ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)
ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)"; flow:established,to_server; http.cookie; content:"DNNPersonalization="; fast_pattern; content:"ObjectStateFormatter"; content:"ObjectDataProvider"; reference:cve,2017-9822; reference:url,f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks?sf176487178; classtype:attempted-admin; sid:2025545; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_27, cve CVE_2017_9822, deployment Datacenter, signature_severity Minor, tag CISA_K
Exploit-DB
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
exploitdb·2020-04-16
CVE-2018-18326 DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'
class MetasploitModule active_timeout
}
# payload handler is normally set up and started here
# but has been removed so we can start the handler when needed.
end
def initialize(info = {})
super(update_info(
info,
'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
'Description' => %q(
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expect
Metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
DotNetNuke Cookie Deserialization Remote Code Excecution
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
Nuclei
DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution
nuclei·CVSS 8.8
CVE-2017-9822 [HIGH] DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution
DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution
DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected by a deserialization vulnerability that leads to remote code execution.
Template:
id: CVE-2017-9822
info:
name: DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution
author: milo2012
severity: high
description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected by a deserialization vulnerability that leads to remote code execution.
impact: |
Remote code execution through cookie deserialization
remediation: |
Upgrade DotNetNuke to a version higher than 9.3.0
reference:
- https://github.com/murataydemir/CVE-2017-9822
- https://nvd.nist.gov/vuln/detail/CVE-2017-9822
- http://www.dnnsoftware.com/community/security/security-center
-
Qualys
Identify Server-Side Attacks Using Qualys Periscope | Qualys
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope | Qualys
#### Table of Contents
- Potential False Positives
- Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
- QID 150055 – OS Command Injection
- QID 150179 – Blind XXE injection
Qualys
Identify Server-Side Attacks Using Qualys Periscope
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope
## Table of Contents
Potential False Positives
Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope . This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
QID 150055 – OS Command Injection
QID 150179 – Blind XXE injection
QID 15
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Vulnerability Assessment, Penetration Testing, and Redteaming
blogs_sentinelone·2019-07-22·CVSS 8.8
[HIGH] Vulnerability Assessment, Penetration Testing, and Redteaming
A guest post by Florian Hansemann – @HanseSecure
More and more frequently the terms ‘Vulnerability Assessment’, ‘Penetration Testing‘ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment 😉 ) or elsewhere is irrelevant.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.
## Vulnerability Assessment
Description
Possible Findings
1. Default Credentials [cisco:cisco]
2. Missing Patches [CVE-2017-0144]
3. Open Ports [databases]
4. Missing Sec
Sentinelone
Vulnerability Assessment, Penetration Testing, and Redteaming
blogs_sentinelone·2019-07-22·CVSS 8.8
[HIGH] Vulnerability Assessment, Penetration Testing, and Redteaming
A guest post by Florian Hansemann – @HanseSecure
More and more frequently the terms ‘Vulnerability Assessment’, ‘ Penetration Testing ‘ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment 😉 ) or elsewhere is irrelevant.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.
## Vulnerability Assessment
Description
A vulnerability assessment uses mostly automated procedures and generic scanners to detect security vulnerabilities in systems. Th
Trendmicro
Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
blogs_trendmicro·2018-01-19·CVSS 9.8
[CRITICAL] Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
Exploits & Vulnerabilities
## Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
By: Hubert Lin 2018/01/19 Read time: ( words)
Save to Folio
Threat actors have turned to cryptocurrency mining as a reliable way to make a profit in recent months. Cryptocurrency miners use the computing power of end user systems to mine coins of various kinds, most commonly via malware or compromised websites. By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
In recent weeks we have noted a signific
Trendmicro
Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
blogs_trendmicro·2018-01-19·CVSS 9.8
[CRITICAL] Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
Exploits y vulnerabilidades
## Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
By: Hubert Lin Jan 19, 2018 Read time: ( words)
Save to Folio
Threat actors have turned to cryptocurrency mining as a reliable way to make a profit in recent months. Cryptocurrency miners use the computing power of end user systems to mine coins of various kinds, most commonly via malware or compromised websites. By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
In recent weeks we have noted a signi
Trendmicro
Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
blogs_trendmicro·2018-01-19·CVSS 9.8
[CRITICAL] Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
Exploits & Vulnerabilities
## Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
By: Hubert Lin Jan 19, 2018 Read time: ( words)
Save to Folio
Threat actors have turned to cryptocurrency mining as a reliable way to make a profit in recent months. Cryptocurrency miners use the computing power of end user systems to mine coins of various kinds, most commonly via malware or compromised websites. By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
In recent weeks we have noted a signif
Trendmicro
Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
blogs_trendmicro·2018-01-19·CVSS 9.8
[CRITICAL] Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
Exploits & Vulnerabilities
# Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
By: Hubert Lin
2018/01/19
Read time: ( words)
Save to Folio
Threat actors have turned to cryptocurrency mining as a reliable way to make a profit in recent months. Cryptocurrency miners use the computing power of end user systems to mine coins of various kinds, most commonly via malware or compromised websites. By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
In recent weeks we have noted a signific
Trendmicro
Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
blogs_trendmicro·2018-01-19·CVSS 9.8
[CRITICAL] Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
Ausnutzung von Schwachstellen
## Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
By: Hubert Lin Jan 19, 2018 Read time: ( words)
Save to Folio
Threat actors have turned to cryptocurrency mining as a reliable way to make a profit in recent months. Cryptocurrency miners use the computing power of end user systems to mine coins of various kinds, most commonly via malware or compromised websites. By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
In recent weeks we have noted a sig
HackerOne
CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci
hackerone·2024-11-16·CVSS 8.8
CVE-2017-9822 [HIGH] CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci
CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci
## Summary:
DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected to deserialization vulnerability that leads to Remote Code Execution (RCE). DotNetNuke uses the `DNNPersonalization` cookie to store anonymous users’ personalization options (the options for authenticated users are stored through their profile pages). This cookie is used when the application serves a custom 404 Error page, which is also the default settings.
```cs
public static Hashtable DeSerializeHashtable(string xmlSource, string rootname)
{
var HashTable = new Hashtable();
if (!String.IsNullOrEmpyt(xmlSource))
{
try
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml(xmlSource);
foreach (XmlElement xmlItem in xmlDoc.Sel
http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttp://www.dnnsoftware.com/community/security/security-centerhttp://www.securityfocus.com/bid/102213http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttp://www.dnnsoftware.com/community/security/security-centerhttp://www.securityfocus.com/bid/102213https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9822
2017-07-20
Published
2021-11-03
Added to CISA KEV
Exploited in the wild