VBulletin 5: 0day of Imperfect Patch

Early this week, in style discussion board software program platform vBulletin confronted a model new distant code execution 0day vulnerability—the perpetrator: an imperfect patch.


Over the weekend, safety researcher Amir Etemadieh launched a proof-of-concept essential to bypass a patch designed to deal with the identical subject listed beneath CVE-2019-16759.

The unique vulnerability affected vBulletin 5.x by means of 5.5.four and “permits distant command execution by way of the widgetConfig[code] parameter in an ajax/render/widget_php routestring request” (cve.mitre.org).

To higher illustrate of what number of net servers are affected by this new addition to the vulnerability, the next Google dork shows all of the websites working vBulletin discussion board software program:

intext:”Powered by vBulletin”

When this vulnerability was first launched, all that was wanted to leverage it for an assault was a specifically crafted POST request. The request despatched to the focused system would enable anybody to execute any arbitrary command (related to the “service account” of the consumer certain to the vBulletin occasion). This vulnerability can be “pre-auth”, which means {that a} consumer doesn’t need to be logged in for it to work.

This subject impacts vBulletin’s template rendering engine explicitly. Templates enable a vBulletin consumer to fashion their discussion board. The syntax for writing templates resembles front-end code like HTML combined with inline code, which is rendered again as PHP. It’s in the course of the precise rendering course of that the vulnerability is expressed.

Template construction causes filtering issues

The template construction in vBulletin exacerbates the issue. It permits the utilization of what’s often called “little one templates”. As soon as the dad or mum template is processed and evaluated, the following collection of kid templates (if current) can be rendered.

In keeping with Amir Etemadieh, this may trigger many filtering issues related to each XSS (injecting arbitrary client-side script) and the era of non-escaped PHP, simply from how the template performance is structured. It’s like having to play a relentless recreation of cat-and-mouse, defeating the renderer’s filtering procedures.

What did the patch for CVE-2019-16759 miss? In any case, it checks that routestring doesn’t finish with a widget_php route earlier than executing the template.

What was lacking when the patch was developed was the consideration of loading a baby template utilizing a worth saved utilizing a special identify. The next is the proof-of-concept for executing any arbitrary command (because the service account that manages vBulletin) on the system:

curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d ‘subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec(“id”); exit;’

The perform parameter of shell_exec() is what executes the command on the system. Any PHP code can substitute it as it’s unescaped and run.

Amir Etemadieh additionally made accessible a Bash, Python, and a Metasploit module for this exploit. Extra details about this vulnerability will be discovered on the researcher’s weblog: https://weblog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/.

VBulletin 5: 0day of Imperfect Patch

Google dork displaying all of the web sites powered by vBulletin software program

Many boards powered by vBulletin will seemingly face information breaches within the coming days, just like when the unique 2019 vulnerability was disclosed. Jeff Moss has already reported that somebody tried utilizing the exploit inside simply three hours following its launch on discussion board.defcon.org (good after the yearly convention).

Disable PHP rendering

A brief time period patch in opposition to that is for directors to disable PHP rendering solely in vBulletin. Listed below are the steps to comply with:

  1. Navigate to the vBulletin administrator management panel.
  2. Click on “Settings” within the menu on the left, then “Choices” within the dropdown
  3. Select “Common Settings” after which click on “Edit Settings”.
  4. Search for “Disable PHP, Static HTML, and Advert Module rendering”, Set to “Sure”.
  5. Click on “Save”.

VBulletin 5: 0day of Imperfect Patch

Supply: twitter.com

What’s attention-grabbing about vBulletin is that it has an extended monitor document of software program issues, principally involving code execution and SQL injection. vBulletin doesn’t have a bug bounty program, which suggests an additional incentive for some menace hunters to reveal vulnerabilities is lacking (see vBulletin’s vulnerability statistics beneath).

VBulletin 5: 0day of Imperfect Patch

Supply: cvedetails.com

What about different discussion board software program?

Content material administration software program, particularly for boards, has all the time been intently scrutinized for vulnerabilities as a result of degree of impression and the doubtless uncovered sort of information. Boards entice attackers as a result of they retailer all kinds of data – consumer names, IP addresses, emails, and passwords – that can be utilized to deanonymize customers and conduct credential stuffing assaults elsewhere.

Many alternate options to vBulletin, corresponding to xenForo, phpBB and MyBB, all face that very same danger. As soon as there’s a 0day, you both discover a fast repair (and after I say fast, I imply lower than an hour to behave) or face downtime.

It’s nearly trivial for attackers to formulate enumeration methods to seek out susceptible situations of net expertise and shortly mass-exploit them. 0days like this are usually not launched to the general public, so that you wouldn’t know they even exist. Is there a greater method for discussion board homeowners to guard themselves and their on-line communities?

There may be. A setup that entails two trusted endpoints guarantees the simplest remediation. Each the consumer and server are validated in opposition to one another to solely enable for what the web site permits customers to transmit. To place it one other method, arbitrary POST/GET requests usually are not allowed until permitted by means of the front-end’s submission varieties.

Suppose the consumer’s entry is solely restricted. In that case, customers need to work together with the web site exactly as outlined and provided by the front-end – you reduce the web-exploitation assault floor.

*** It is a Safety Bloggers Community syndicated weblog from Authentic8 Weblog authored by Amir Khashayar Mohammadi. Learn the unique put up at: https://weblog.authentic8.com/vbulletin-5-0day-from-imperfect-patch/

vbulletin vulnerability,cve-2020-5363