CVE-2018-18326
published 2019-07-03CVE-2018-18326: DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
53.62%
98.9th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | 9.2 – 9.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes↗
ff 01 32 (ObjectStateFormatter serialized header)
- →The malicious DNNPersonalization cookie payload contains the XML strings 'ExpandedWrapperOfObjectStateFormatterObjectDataProvider', '<profile', 'MethodName', 'Deserialize', and 'MethodParameters' — all present in the HTTP cookie header.
- →The exploit triggers cookie deserialization by requesting a path that causes a DNN 404 error (default: '/__'), which causes DNN to process the DNNPersonalization cookie and deserialize the attacker-controlled payload. ↗
- →For DNN versions 9.2.0+, the exploit requires an authenticated session cookie (.DOTNETNUKE) and an encrypted DNNPersonalization cookie. Detect authenticated requests carrying both cookies with deserialization payload markers. ↗
- →The serialized ObjectStateFormatter payload begins with the byte sequence [0xFF, 0x01, 0x32] (255, 1, 50). Inspect cookie values for this binary header after base64-decoding. ↗
- ·CVE-2018-18326 affects DNN 9.2 through 9.2.2 specifically due to an incomplete fix for CVE-2018-15812 (weak encryption key entropy). The Metasploit module targets a broader range (5.0.0 to 9.3.0-RC) covering multiple related CVEs; ensure version-specific targeting when deploying detections. ↗
- ·The Emergingthreats Snort rule (sid:2034308) is labeled for CVE-2018-15811 but explicitly references CVE-2018-18326 and CVE-2018-18325 as well; it covers the shared deserialization attack vector across all related DNN CVEs.
- ·For DNN 9.2.0–9.2.1 and 9.2.2–9.3.0-RC targets, the exploit requires both encryption (KEY and IV) and an authenticated session token, meaning unauthenticated network-layer detections alone are insufficient for these versions. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Insufficient Entropy in DotNetNuke
ghsa·2019-07-05·CVSS 7.5
CVE-2018-18326 [HIGH] CWE-331 Insufficient Entropy in DotNetNuke
Insufficient Entropy in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
OSV
Insufficient Entropy in DotNetNuke
osv·2019-07-05·CVSS 7.5
CVE-2018-18326 [HIGH] Insufficient Entropy in DotNetNuke
Insufficient Entropy in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
Suricata
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
suricata·2021-11-01·CVSS 7.5
CVE-2017-9822 [HIGH] ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Ser
Exploit-DB
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
exploitdb·2020-04-16
CVE-2018-18326 DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'
class MetasploitModule active_timeout
}
# payload handler is normally set up and started here
# but has been removed so we can start the handler when needed.
end
def initialize(info = {})
super(update_info(
info,
'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
'Description' => %q(
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expect
Metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
DotNetNuke Cookie Deserialization Remote Code Excecution
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-centerhttp://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-center
2019-07-03
Published