Moveable Type 4.x unauthenticated remote command execution

Description

By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server. MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties:

  • This script may be invoked remotely without requiring authentication to any MT instance.
  • Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.
  • A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.

Remediation

Upgrade to the latest version of Moveable Type or apply the patch listed in the web references section.

References