Rule Document 1:59273

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP DOTNETNUKE DNNPersonalization Cookie Deserialization RCE

Rule Explanation

DotNetNuke CMS can be configured to listen on any port alert tcp $EXTERNAL_NET any -> $HOME_NET any This rule detects when a DNNPersonalization Cookie has a type (ObjectStateFormatter) specified that doesn't contain member functions. content:"DOTNETNUKE"; fast_pattern; content:"key"; within:40; content:"type=\"ObjectStateFormatter\""; within:200; This type XAML cookie should only be used with this type for exploitation attempts over HTTP: metadata:policy max-detect-ips drop, policy security-ips drop, policy balanced-ips drop, service http; References: reference:cve,2018-18326; reference:url,pentest-tools.com/blog/exploit-dotnetnuke-cookie-deserialization/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb; Execution as whichever user account spawned the process for DotNetNuke CMS: classtype:attempted-user;

What To Look For

This rule alerts on DNNPersonalization cookies which have a a hardcoded XAML type (that lacks member functions) in the Metasploit module. It is not normal activity for DotNetNuke CMS software.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group