The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.
The discovery and his publishing of PoC and full exploits spurred attackers to launch attacks:
A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete – within three hours https://t.co/LwbPuEoL5b was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched! https://t.co/7JtmEzcTFG pic.twitter.com/R4AcCoZt1B
— Jeff Moss (@thedarktangent) August 10, 2020
Several other admins confirmed that they’ve been hit.
Risk mitigation and prevention
Etemadieh explained how he discovered that the patch for CVE-2019-16759 was flawed in a blog post published on Sunday.
Today I released my research on vBulletin5 including a new pre-auth 0day RCE exploithttps://t.co/m7pd527lCr
POC: curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[template]=widget_php&subWidgets[config][code]=echo%20shell_exec("id"); exit;' pic.twitter.com/JjThUBVTmc
— Amir Etemadieh (@Zenofex) August 9, 2020
It’s a quality write-up and contains a one-line PoC exploit and full exploits written Bash, Python and Ruby, as well as instructions on how to implement a fix until a more complete patch is released (in short, forum admins were advised to temporarily disable PHP widgets).
“Tenable Research has tested the proof of concept from Etemadieh and confirmed successful exploitation using the latest version of vBulletin,” Tenable research engineer Satnam Narang confirmed .
Internet Brands, the makers of vBulletin, have not been notified of this discovery prior to the publication, so they’ve scrambled to fix the flaw again.
New patches have been made available on Monday, for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget. The upcoming v5.6.3 will contain the patch.
“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” they advised, and noted that vBulletin Cloud sites are not affected by this issue.
vBulletin is the most popular internet forum software in use today and also powers many dark web forums. vBulletin flaws, especially when they allow remote code execution without authentication, are usually speedily leveraged by attackers, so admins are advised to implement the patches ASAP.