This module will cover the in-depth analysis and exploitation of a deserialization remote code execution vulnerability in the DotNetNuke (DNN) platform through the use of maliciously crafted cookies. The primary focus of the module will be directed at the .Net deserialization process, andmore specifically at the XMLSerializer class.
7.2 Getting Started
Revert the DNN virtual machine from your student control panel. You will find the credentials tothe DotNetNuke server and application accounts in your course materials.
In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.
Explore unique challenges and vulnerabilities related to web applications
Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
The concept of serialization (and deserialization) has existed in computer science for a number of years. Its purpose is to convert a data structure into a format that can be stored or transmittedover a network link for future consumption.
7.4 Serialization Basics
Before we get into the thorough analysis of the vulnerability, we first need to cover some basic concepts in practice. This will help us understand the more complex scenarios later on. There are various formats in which the serialized objects can be stored–we have already suggested a binary format as an option, which in the case of .NET, would likely be handled by the BinaryFormatter class.
Nevertheless, for the purposes of this module, we will focus on the XMLSerializer class as it directly relates to the vulnerability we will discuss.
7.5 DotNetNuke Vulnerability Analysis
Now that we have some basic knowledge of XmlSerializer, we can start analyzing the actual DotNetNuke vulnerability that was discovered by Muñoz and Mirosh.
As reported, the vulnerability was found in the processing of the DNNPersonalization cookie, which as the name implies, is directly related to a user profile. Interestingly, this vulnerability can be triggered without any authentication.
7.6 Payload Options
As we are dealing with a deserialization vulnerability, our goal is to find an object that can execute code that we can use for our purposes and that we can properly deserialize. So, let’s look at some options.
7.7 Putting It All Together
At this point we can set up the entire attack and try to gain a reverse shell using this vulnerability. In order to do that, we will use a ASPX command shell that can be found on our attacking Kali VM. We’ll copy that into our webserver root directory and make sure we set the correct permissions on it.
Now that we have manually analyzed and exploited this vulnerability, and have gained a thorough understanding of the ObjectDataProvider gadget mechanics, we need to mention a tool that canautomate many of these tasks for us. Using the original ysoserial Java payload generator asinspiration, researcher Alvaro Muñoz also created the ysoserial.netpayload generator that, as the name implies, specifically targets unsafe object deserialization in .Net applications.
In this module we analyzed a vulnerability in the DNN platform that clearly demonstrates that .NET applications can suffer from deserialization issues similar to any other language. Although deserialization vulnerabilities are arguably found more often in PHP and Java applications, weencourage you not to neglect this class of vulnerabilities when facing .NET applications, as they can prove to have a critical impact.