Graphic: ZDNet
A stability researcher has revealed information and evidence-of-notion exploit code for a zero-day vulnerability in vBulletin, one of present day most common discussion board program.
The zero-day is a bypass for a patch from a prior vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019.
The prior zero-day permitted attackers to exploit a bug in the vBulletin template system to run malicious code and get above community forums without having needing to authenticate on the target web pages (a kind of bug referred to as a pre-auth RCE).
CVE-2019-16759 was disclosed on September 24, 2019, and a patch was offered the upcoming working day, on September 25.
New zero-day bypasses CVE-2019-16759 patch
However, in a weblog submit posted late Sunday night time, Austin-dependent security researcher Amir Etemadieh said the CVE-2019-16759 “was insufficient in blocking exploitation.”
The researcher reported he located a very simple way to bypass the patch and continue on to exploit the exact CVE-2019-16759 vulnerability, and posted a few evidence-of-principles in Bash, Python, and Ruby, to demonstrate his position.
Etemadieh informed ZDNet he did not get in touch with and notify the vBulletin workforce prior to likely public with his findings. MH Sub I, LLC, the organization that commercializes the vBulletin forum application, has not returned a request for comment.
Discussion boards are a typical goal for hackers
Both way, the new zero-day code is dwell and has been broadly shared on social media sites like Reddit and Twitter, and inside hacking communities hosted on private discussion boards and Discord channels.
0day RCE exploit on vBulletin 5xx
dork intext:”Driven by vBulletin”
POC
curl -s http://Site/ajax/render/widget_tabbedcontainer_tab_panel -d ‘subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec(“id”) exit’#bugbounty #bugbountytips pic.twitter.com/DfqLivsskG— h4x0r-dz (@h4x0r_dz) August 10, 2020
The publication of the September 2019 zero-working day activated a substantial wave of vBulletin hacks previous 12 months, resulting in lots of firms disclosing security breaches in excess of the next months.
Message boards, in standard, are some of the most sought after website technologies to hack. The rationale why hackers set a primer on community forums has to do with their purpose and the facts they can steal.
As opposed to most content material management methods like WordPress, Drupal, or Joomla, on the internet message boards like vBulletin are designed for the sole and primary objective of handling on the internet communities, and, as a result, maintain big portions of individual information.
A WordPress web page might be applied to run a marriage planner’s or a lawyer’s workplace internet site, but even the lowliest and unimportant message boards have thousands of registered consumer profiles holding delicate consumer information, together with user posts, particular messages, and at times even money details, if the discussion boards have spend-to-accessibility characteristics.
However, even if Etemadieh didn’t make it apparent if he notified the vBulletin crew about his designs to expose a zero-day, the researcher suggests forum proprietors can reduce exploitation by building the following modifications to their discussion board options.
- Go to the vBulletin administrator control panel.
- Click “Options” in the menu on the left, then “Choices” in the dropdown.
- Pick “Standard Settings” and then click on “Edit Settings”
- Appear for “Disable PHP, Static HTML, and Advert Module rendering”, Established to “Indeed”
- Click “Conserve”
At the time of crafting, at least one forum was confirmed to have been hacked using this new zero-day, the forum of the DEF CON protection convention, which just not long ago concluded above the weekend.
Up to date at 19:30 ET to include that the vBulletin workforce has introduced a patch. MITRE has assigned this new zero-day the identifier of CVE-2020-17496.