[Unpatched] Critical 0-Day RCE Exploit for vBulletin Forum Disclosed Publicly

Minimalist Registered Member

Joined:: Jan 6, 2014

Posts:: 14,885

Location:: Slovenia, EU

An anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software.
Click to expand...

https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html

Minimalist, Sep 24, 2019

#1

guest Guest

vBulletin Zero-Day Exploited for Years, Gets Unofficial Patch
September 25, 2019
https://www.bleepingcomputer.com/ne...ay-exploited-for-years-gets-unofficial-patch/

A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years.
Unofficial patch released by security researcher
This remote code execution vulnerability exists in the includes/vb5/frontend/controller/bbcode.php file and is caused by the evalCode ($code) function.
To fix this vulnerability, security researcher Nick Cano created a very easy patch that comments out the eval() statement in the evalCode function.
Exploited for years
After news broke about this vulnerability, Chaouki Bekrar, the CEO of the Zerodium exploit acquisition company, tweeted that his company has known about this exploit for three years and that many researchers have been selling the exploit for some time.
Click to expand...

guest, Sep 25, 2019

#2

Minimalist Registered Member

Joined:: Jan 6, 2014

Posts:: 14,885

Location:: Slovenia, EU

High-severity vulnerability in vBulletin is being actively exploited

Attackers are mass-exploiting an anonymously disclosed vulnerability that makes it possible to take control of servers running vBulletin, one of the Internet’s most popular applications for website comments. Sites running the app should take comments offline until administrators install a patch that vBulletin developers released late Wednesday morning.
Click to expand...

https://arstechnica.com/information...-attacks-against-high-severity-vbulletin-bug/

Minimalist, Sep 26, 2019

#3

Minimalist Registered Member

Joined:: Jan 6, 2014

Posts:: 14,885

Location:: Slovenia, EU

Botnet Uses Recent vBulletin Exploit to Block Other Hackers

A botnet has been detected utilizing the recently disclosed vBulletin exploit to secure vulnerable servers so that they cannot be used by other attackers. This allows the botnet to grow their army of compromised servers without fear that other attackers will utilize the same server.
Click to expand...

https://www.bleepingcomputer.com/ne...ent-vbulletin-exploit-to-block-other-hackers/

Minimalist, Sep 26, 2019

#4

guest Guest

Cloudflare Now Blocks the vBulletin RCE CVE-2019-16759 Exploit
September 29, 2019
https://www.bleepingcomputer.com/ne...cks-the-vbulletin-rce-cve-2019-16759-exploit/

This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service.

To protect users, Cloudflare has created a new rule for their Web Application Firewall that will detect and block this exploit. This means that vBulletin sites using Cloudflare and who have their firewall enabled will not be affected by the exploit.
While this is a great perk of being a Cloudflare customers, it is obviously more important that affected vBulletin forums install the official patch so that that the vulnerability is properly fixed.
Click to expand...

guest, Sep 29, 2019

#5

guest Guest

Security researcher publishes details and exploit code for a vBulletin zero-day
Proof-of-concept exploit code available in Bash, Python, and Ruby
August 10, 2020
https://www.zdnet.com/article/secur...ls-and-exploit-code-for-a-vbulletin-zero-day/

A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin, one of today's most popular forum software.

The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019.
The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).

CVE-2019-16759 was disclosed on September 24, 2019, and a patch was provided the next day, on September 25.
Click to expand...

NEW ZERO-DAY BYPASSES CVE-2019-16759 PATCH
However, in a blog post published late Sunday night, Austin-based security researcher Amir Etemadieh said the CVE-2019-16759 "was inadequate in blocking exploitation."
The researcher said he found a simple way to bypass the patch and continue to exploit the same CVE-2019-16759 vulnerability, and published three proof-of-concepts in Bash, Python, and Ruby, to prove his point.

At the time of writing, at least one forum was confirmed to have been hacked using this new zero-day, the forum of the DEF CON security conference, which just recently concluded over the weekend.
Click to expand...

Updated at 19:30 ET to add that the vBulletin team has released a patch.
Click to expand...

guest, Aug 10, 2020

#6

Log in or Sign up

[Unpatched] Critical 0-Day RCE Exploit for vBulletin Forum Disclosed Publicly

Minimalist Registered Member

guest Guest

Minimalist Registered Member

Minimalist Registered Member

guest Guest

guest Guest

Useful Searches