CVE-2015-1592
published 2015-02-19CVE-2015-1592: Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
75.03%
99.4th percentile
Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| sixapart | movable_type | >= 5.2.0 < 5.2.12 | 5.2.12 |
| sixapart | movable_type | >= 6.0 < 6.0.7 | 6.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078
bytes↗
534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769
bytes↗
5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f
- →Detect GET requests to mt-wizard.cgi with query parameters '__mode=retry', 'step=configure', and a 'config' parameter beginning with the Storable magic bytes 'SERG' (hex: 53455247) — this is the serialized payload delivery vector for CVE-2015-1592. ↗
- →Alert on HTTP responses containing the string "Can't locate XXXCHECKXXX.pm" — this indicates the server is vulnerable and the attacker is performing an active check for CVE-2015-1592. ↗
- →Monitor for GET requests to mt-wizard.cgi with '__mode=next_step' and 'step=optional' containing injected Perl code in the 'email_address_main' parameter (newline-separated ObjectDriver injection). ↗
- →Detect GET requests to mt.cgi with an 'xyzzy' query parameter — this is the backdoor command execution parameter written into the corrupted mt-config.cgi during the destructive exploit path. ↗
- →Flag any HTTP request to MovableType CGI endpoints where the 'config' parameter value decodes (hex) to a binary blob starting with 'SERG' followed by null bytes — this is the Storable serialization magic header used in the exploit. ↗
- →The nondestructive exploit payload hex-encodes a Storable object referencing 'Object::MultiType', 'DateTime', 'Try::Tiny::ScopeGuard', and calls 'MT::run_app' — look for these class names in decoded 'config' parameter values. ↗
- →The destructive exploit path deletes mt-config.cgi via a CGITempFile Storable injection — monitor for unexpected deletion or modification of mt-config.cgi on the server filesystem. ↗
- ·The nondestructive exploit path requires the target server to have 'Object::MultiType' and 'DateTime' Perl modules installed in @INC; if absent, the exploit will fail silently without corrupting the installation. ↗
- ·The destructive exploit path only requires standard MovableType dependencies (CGI module) but will corrupt the MovableType installation by unlinking and rewriting mt-config.cgi. ↗
- ·Affected versions are Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7; patched versions are not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)
exploitdb·2015-02-11
CVE-2015-1592 SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)
SixApart MovableType 'SixApart MovableType Storable Perl Code Execution',
'Description' => %q{
This module exploits a serialization flaw in MovableType before 5.2.12 to execute
arbitrary code. The default nondestructive mode depends on the target server having
the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.
The destructive mode of operation uses only required MovableType dependencies,
but it will noticeably corrupt the MovableType installation.
},
'Author' =>
[
'John Lightsey',
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-1592' ],
[ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],
],
'Privileged' => false, # web server context
'Payload' =>
{
'DisableNops' => true,
'BadChars' =
Metasploit
SixApart MovableType Storable Perl Code Execution
metasploit
SixApart MovableType Storable Perl Code Execution
SixApart MovableType Storable Perl Code Execution
This module exploits a serialization flaw in MovableType before 5.2.12 to execute arbitrary code. The default nondestructive mode depends on the target server having the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths. The destructive mode of operation uses only required MovableType dependencies, but it will noticeably corrupt the MovableType installation.
Bugzilla
CVE-2015-3235 foreman: edit_users permission allows changing of admin passwords
bugzilla·2015-06-16·CVSS 6.0
CVE-2015-3235 [MEDIUM] CVE-2015-3235 foreman: edit_users permission allows changing of admin passwords
CVE-2015-3235 foreman: edit_users permission allows changing of admin passwords
Dominic Cleal of Red Hat reported the below issue in Foreman:
A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.
Upstream bug: http://projects.theforeman.org/issues/10829
Upstream fix: pull request not yet merged, see upstream bug
Discussion:
Updated CVSS2 scoring.
---
This issue has been addressed in the following products:
Red Hat Satellite 6.1
Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591
---
This issue has been addressed in the following products:
Red Hat Satellite 6.1
Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592
Bugzilla
CVE-2015-3155 foreman: the _session_id cookie is issued without the Secure flag
bugzilla·2015-04-28·CVSS 5.0
CVE-2015-3155 [MEDIUM] CVE-2015-3155 foreman: the _session_id cookie is issued without the Secure flag
CVE-2015-3155 foreman: the _session_id cookie is issued without the Secure flag
It was reported that the _session_id cookie in Foreman is set without the Secure flag.
This may allow an attacker to perform a "session hijacking" attack.
Upstream bug: http://projects.theforeman.org/issues/10275
Proposed fix: https://github.com/theforeman/foreman/pull/2328
Discussion:
Acknowledgements:
Red Hat would like to thank Rufus Järnefelt of Coresec for reporting this issue.
---
This issue has been addressed in the following products:
Red Hat Satellite 6.1
Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591
---
This issue has been addressed in the following products:
Red Hat Satellite 6.1
Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592
Bugzilla
CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23)
bugzilla·2015-03-30·CVSS 5.5
CVE-2015-2326 [MEDIUM] CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23)
CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23)
A flaw was found in the PCRE library:
PCRE library is prone to a vulnerability which leads to Heap overflow. Without enough bound checking inside pcre_compile2(), the heap memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. An attacker may exploit this issue to execute arbitrary code in the context of the user running the affected application.
Upstream issue:
http://bugs.exim.org/show_bug.cgi?id=1592
Upstream patch:
http://vcs.pcre.org/pcre?revision=1529&view=revision
Statement:
This issue did not affect the versions of pcre as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Discussion:
8.34 seems to be the first
http://www.openwall.com/lists/oss-security/2015/02/12/17http://www.openwall.com/lists/oss-security/2015/02/12/2http://www.securityfocus.com/bid/72606http://www.securitytracker.com/id/1031777https://exchange.xforce.ibmcloud.com/vulnerabilities/100912https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.htmlhttps://www.debian.org/security/2015/dsa-3183http://www.openwall.com/lists/oss-security/2015/02/12/17http://www.openwall.com/lists/oss-security/2015/02/12/2http://www.securityfocus.com/bid/72606http://www.securitytracker.com/id/1031777https://exchange.xforce.ibmcloud.com/vulnerabilities/100912https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.htmlhttps://www.debian.org/security/2015/dsa-3183
2015-02-19
Published