Severity Is Multi-Dimensional
Vulnerability scanning tools, such as Nessus, can produce reports and assign discovered vulnerabilities a severity rating. The problem I always had with these reports was in evaluating these ratings. Like many other administrators, I found that vulnerabilities with “high” severity ratings always caught my attention first. Sometimes it would take a week’s worth of effort to evaluate and remediate the high- severity vulnerabilities. Although I knew that I should also investigate the low or medium severity level alerts, I never seemed to have time. These were most often given a low priority when it came time to assign tasks and would most often end up going months, years or never getting fixed at all unless a security incident occurred that involved one of the low-severity vulnerabilities. This is a problem that many organizations face, and the following particular Movable Type vulnerability is a great example that I hope underscores the point that “lower severity rating” does not mean "forget about them and never fix them". I recommend that organizations take a multi-dimensional approach to vulnerability remediation and take into account not only the overall severity, but also the level of effort to fix the problem. For the Movable Type vulnerability in question, the severity level is relatively low (for example, it’s not remotely exploitable to gain shell), but the remediation is simple: remove the file from the web server (which has no impact on the operation of the web application.)
Movable Type "mt-check.cgi"
Movable Type is a popular blogging and content management platform that powers Typepad, a web service that allows people to sign up and create their own blogs. It is written in Perl, and has had some vulnerabilities in the past. Movable Type contains a script called "mt-check.cgi" that is documented as follows:
This stand-alone script checks for all the required and optional Perl modules and reports on the status of each.
Viewing the mt-check.cgi script is the easiest way to check the details of the server environment to determine if the prerequisite libraries/modules are present so that Movable Type can be installed.
While the Movable Type documentation explains the purpose of the script, it does not recommend that users disable or remove this script post-installation. A little Google research shows that this has led to a large number of sites that contain this script. My own "Google Dorking" reveals approximately 280,000 web sites that have not removed mt-check.cgi.
If mt-check.cgi is left in place after a Movable Type installation, it provides the attacker with a wide variety of useful information (more documentation can be found in OSVDB 60492). I will leave it to your own "Google Hacking" skills to get an idea of how widespread this problem is.
The Movable Type script "mt-check.cgi" reveals the following pieces of information:
The top portion of the page displays the Movable Type version number, the directory the mt-check.cgi script is running from (working directory) and the MT home directory. This information can be used to find vulnerabilities associated with this version of Movable Type, perhaps by using a vulnerability database such as the OSVDB and its powerful search engine. Initially, the directory information may not seem like a big concern, but if there are remote file inclusion, local file inclusion or file upload vulnerabilities present, this information is key to a successful attack. The attacker must know where to copy files or find directories that are writable by the web server or database server. The operating system is also a key element, as the syntax for some of the web application attacks previously mentioned will change based on platform. The Perl version is also displayed; an older version of Perl could contain vulnerabilities that could be exploited by an attacker.
Even if a system administrator has disabled the Apache banner (e.g., setting "ServerTokens" to "Prod" in the Apache configuration file), the mt-check.cgi script will reveal this information. The banner reveals not only the versions of all software currently in use, but also that the PHP installation is being protected with the Suhosin patch, which adds a significant level of security to any PHP applications installed on the web server. Armed with this information, an attacker can then construct the web application attacks in such a way as to evade web application firewalls, such as HTTP response splitting or specific attacks against Suhosin.
Information about MT modules and associated versions of Perl modules are also helpful to attackers. For example, vulnerabilities have been disclosed about the DBI library , just as vulnerabilities could exist for other software on the system. Nessus plugin 42842, Movable Type mt-check.cgi System Information Disclosure detects this vulnerability. Be certain to click the checkbox labeled "Enable CGI scanning" in the preferences table of your policy to detect these vulnerabilities:
Detecting this vulnerability is fairly straight forward. For example, below is an Apache log file sample of an attacker accessing the mt-check.cgi application:
|192.168.1.66 - - [17/Nov/2009:21:51:04 +0000] "GET /movabletype/mt-static//images/icon_success.png HTTP/1.1" 200 795 "http://192.168.1.26/movabletype/mt-check.cgi" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9"|
There are several different ways to detect the activity shown above. A network intrusion detection system or passive vulnerability scanner (such as Tenable’s Passive Vulnerability Scanner) could be used to find it on the network. Monitoring the logs on the Apache servers will also reveal that this page exists and was accessed by attackers. Tenable’s LCE (Log Correlation Engine) can be used to monitor for this attack and alert accordingly, and even correlation between other systems and log sources.
Low-priority vulnerabilities will often provide attackers with information that could lead to more reliable exploitation of other vulnerabilities. Remediating lower severity vulnerabilities needs to be a part of your vulnerability management strategy. Make sure the removal of the mt-check.cgi script in Movable Type is in your system hardening guides, along with other configuration checking such as the OWASP Top Ten List and Apache Hardening Guidelines from the Center For Internet Security.