CVE-2018-18325
published 2019-07-03CVE-2018-18325: DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for…
PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
74.05%
99.4th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | 9.2 – 9.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieDNNPersonalization=WriteFileC:\Windows\win.ini
otherExpandedWrapperOfObjectStateFormatterObjectDataProvider
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes↗
ff 01 32 (ObjectStateFormatter serialized header: [255, 1, 50])
- →Trigger detection by monitoring HTTP requests to the DNN 404 handler path (default '/__') carrying a DNNPersonalization cookie containing XML with 'type' attribute, 'MethodName', 'Deserialize', and 'MethodParameters' fields — all hallmarks of the deserialization payload. ↗
- →Inspect HTTP cookies for the string 'ExpandedWrapperOfObjectStateFormatterObjectDataProvider' within the DNNPersonalization cookie value — this is the fast-pattern anchor used by the ET rule.
- →For DNN versions 9.2.0–9.3.0-RC, exploitation requires an authenticated session (.DOTNETNUKE cookie) AND an encrypted DNNPersonalization cookie; detection should correlate authenticated requests carrying encrypted cookie payloads to the 404 handler path. ↗
- →Validate exploitation by checking HTTP 404 response body for Windows win.ini content strings '[extensions]' and 'for 16-bit app support', indicating successful file-read via deserialization.
- →The ObjectStateFormatter serialized payload begins with the byte sequence [255, 1, 50] (0xFF 0x01 0x32); network or endpoint detection can key on this header within base64-decoded DNNPersonalization cookie values. ↗
- ·CVE-2018-18325 is an incomplete patch for CVE-2018-15811; the ET Snort rule references CVE-2018-15811 in its message but covers both CVEs — ensure your ruleset is not filtering one out. ↗
- ·Exploitation of DNN 9.2.0+ (targets requiring ReqEncrypt and ReqSession) requires the attacker to supply a valid KEY, IV, and authenticated session token; unauthenticated detections alone are insufficient for these versions. ↗
- ·The default TARGETURI '/__' triggers the DNN 404 handler; defenders should also monitor any custom 404 handler paths configured on their DNN instances, not just the default. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Inadequate Encryption Strength in DotNetNuke
osv·2019-07-05·CVSS 7.5
CVE-2018-18325 [HIGH] Inadequate Encryption Strength in DotNetNuke
Inadequate Encryption Strength in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
GHSA
Inadequate Encryption Strength in DotNetNuke
ghsa·2019-07-05·CVSS 7.5
CVE-2018-18325 [HIGH] CWE-326 Inadequate Encryption Strength in DotNetNuke
Inadequate Encryption Strength in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
VulnCheck
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
vulncheck·2018·CVSS 7.5
CVE-2018-18325 [HIGH] CWE-326 DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. This CVE ID resolves an incomplete patch for CVE-2018-15811.
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2018-18325 [HIGH] CWE-326 DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
Vulnerability: DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. This CVE ID resolves an incomplete patch for CVE-2018-15811.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-18325
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
suricata·2021-11-01·CVSS 7.5
CVE-2017-9822 [HIGH] ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Ser
Exploit-DB
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
exploitdb·2020-04-16
CVE-2018-18326 DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'
class MetasploitModule active_timeout
}
# payload handler is normally set up and started here
# but has been removed so we can start the handler when needed.
end
def initialize(info = {})
super(update_info(
info,
'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
'Description' => %q(
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expect
Metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
DotNetNuke Cookie Deserialization Remote Code Excecution
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
Nuclei
DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
nuclei·CVSS 7.5
CVE-2018-18325 [HIGH] DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
DNN (DotNetNuke) versions 9.2 through 9.2.2 use a weak encryption algorithm to protect input parameters because of an incomplete fix for CVE-2018-15811. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, leading to remote code execution.
Template:
id: CVE-2018-18325
info:
name: DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
author: pdteam
severity: high
description: |
DNN (DotNetNuke) versions 9.2 through 9.2.2 use a weak encryption algorithm to protect input parameters because of an incomplete fix for CVE-2018-15811. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, le
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-centerhttp://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-centerhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18325
2019-07-03
Published
2021-11-03
Added to CISA KEV
Exploited in the wild