A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild, allowing unauthenticated attackers to take control of web hosts.
A zero-day proof-of-concept code was anonymously published on Monday, ahead of vBulletin issuing a patch. Also, Tenable vice president of intelligence Gavin Millard said via email that there is now a script to leverage Shodan and mass identify thousands of vulnerable systems.
A successful exploit would allow an attacker to take control of a site using vBulletin, a popular platform for powering online forums and communities.
According to Sucuri researcher Marc-Alexandre Montpas, the bug is caused by a flaw in vBulletinâs PHP widgets, which are rendered at runtime and used to create dynamic widgets without having to directly access the hosting server.
âThe researcher found a way to force the site to render arbitrary widgets using the ajax/render/widget_php route,â he explained in a blog post this week. âSince the evalCode callback does exactly what you think it does, essentially running eval on the code it is fed, this makes it possible to run arbitrary code on the underlying server.â
Tenable Research analysis showed that an unauthenticated attacker can exploit the issue by sending a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.
âThese commands would be executed with the permissions of the user account that the vBulletin service is utilizing,â said Tenable researcher Ryan Seguin, in the analysis. âDepending on the service userâs permissions, this could allow complete control of a hostâŠ.the published exploit code returns its successful execution in a JSON formatted response.â
The fix is for versions 5.5.2, 5.5.3 and 5.5.4; users on earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch. The fix has also been applied to the cloud version of the platform.
Administrators should apply the patch as soon as possible.
Montpas warned, âThis vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the siteâs underlying server. As if it wasnât bad enough, this bug doesnât require the attacker to have any kind of privilege to conduct a successful attack. vBulletinâs default settings also make the vulnerable endpoint accessible by default.â
Sucuri and Tenable telemetry has identified a rash of attacks already taking place in the wild, just days after the PoC was dropped on Securelist.
âThe payload attackers are using is very interesting: It essentially modifies the vulnerable snippet by adding a password validation,â Montpas noted. âThis is a way for attackers to maintain access to sites theyâve hacked for themselves, as well as lock out other potential hackers from getting in. From this point, the bad actor can use his newly acquired site to do other malicious things in the future.â
To find out if a site has been compromised, the researcher said to look for âajax/render/widget_phpâ in the access logs. Thatâs because some of the parameters used in the attacks can be located on POST requests, which wouldnât leave any traces in the logs.
Mike Bittner, associate director of Digital Security and Operations at The Media Trust, said that it was just a matter of time before bad actors fixed their crosshairs on forums, which are rich storehouses of user information.
âThe argument that many of todayâs sites do not collect usersâ information betrays a very uninformed notion of how websites work,â he said via email. âMost, if not all, of todayâs websites are built using a vendorâs platform. If youâre a small business, you probably donât have the time or the money to build your own platform. If youâre a medium-sized or large organization, you donât have the time or money to build a platform with all the bells and whistles users have come to expect. Forums are just one example. Unfortunately, vendors that supply these features too often collect information on users without site ownersâ authorization, while failing to equip their products with the needed security and privacy protections, leaving website owners to fend for themselves and shoulder the blame for any data breaches involving their sites. In an environment where bad actors are always looking out for vulnerabilities they can exploit or well-intentioned products like vBulletin they can abuse, site owners will need to close the security gaps themselvesâideally by carefully vetting their vendors and ensuring those vendors observe digital policies.â
_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _Threatpost webinar_, âHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.â _Click here to register.
blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html
github.com/Frint0/mass-pwn-vbulletin
register.gotowebinar.com/register/9029717654543174147?source=ART
register.gotowebinar.com/register/9029717654543174147?source=ART
seclists.org/fulldisclosure/2019/Sep/31
threatpost.com/newsletter-sign/
www.tenable.com/blog/critical-zero-day-pre-authentication-remote-code-execution-exploit-published-for-5-x-versions