Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

vBulletin Patches Zero-Day Exploited in Attacks

vBulletin developers on Monday rushed to address a zero-day remote code execution (RCE) vulnerability in the forum software, one day after the issue was publicly disclosed.

Written in PHP, vBulletin is highly popular among numerous large brands, including Electronic Arts, Pearl Jam, Sony, Steam, Zynga, and others.

vBulletin developers on Monday rushed to address a zero-day remote code execution (RCE) vulnerability in the forum software, one day after the issue was publicly disclosed.

Written in PHP, vBulletin is highly popular among numerous large brands, including Electronic Arts, Pearl Jam, Sony, Steam, Zynga, and others.

The newly disclosed vulnerability is related to CVE-2019-16759, a critical (CVSS score of 9.8) zero-day RCE vulnerability in versions 5.0 to 5.4 that was disclosed last year by an unknown researcher and was immediately exploited in live attacks.

On Sunday, security researcher Amir Etemadieh published information on a new vulnerability in vBulletin, explaining how it can be abused to bypass the patch released in September 2019 for CVE-2019-16759, and also providing proof-of-concept (PoC) code that demonstrates how easily the flaw can be exploited.

Etemadieh, who identified other severe vulnerabilities in vBulletin before, did not contact vBulletin prior to disclosing the new vulnerability, which does not have a CVE identifier yet.

The initial RCE flaw resides in the software’s ajax/render/widget_php route and can be exploited by leveraging the widgetConfig parameter to inject code. Following the initial patch, vBulletin added more code that would ensure the flaw cannot be triggered.

What Etemadieh discovered was that the manner in which the vBulletin template system is structured allows an attacker to bypass the fix for CVE-2019-16759. Specifically, the issue resides within the template “widget_tabbedcontainer_tab_panel,” which can load a user-controlled child template.

“The template loads the child template by taking a value from a separately named value and placing it into a variable named ‘widgetConfig’,” the researcher notes, explaining that this behavior allows for the bypass of all filtering in place to prevent the exploitation of CVE-2019-16759.

Advertisement. Scroll to continue reading.

Etemadieh, who published Bash, Python, and Metasploit exploits for the flaw, also stresses upon the fact that the simplicity of this vulnerability allows for exploitation using a one-line command line exploit. The researcher also published information on how to disable PHP widgets and mitigate the flaw.

Security researchers at Tenable have analyzed Etemadieh’s exploit and confirmed that it is working.

BlackHat and DEF CON founder Jeff Moss revealed on Twitter that hackers exploited the vulnerability in an attack aimed at the DEF CON forum within hours after the public disclosure. Others also reported being targeted, according to posts on the vBulletin forum.

On Monday, vBulletin announced that patches were available for the 5.6.0, 5.6.1, and 5.6.2 versions of vBulletin Connect. The fixes remove the PHP Module. A full patch will be included in the next build of 5.6.3 and the PHP Module will be completely removed in vBulletin 5.6.4.

Sites using vBulletin Cloud are not impacted by the vulnerability.

“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” vBulletin said.

Related: vBulletin Patches Vulnerability Exploited in the Wild

Related: Researchers Divulge Details on Five Windows Zero Days

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.