vBulletin builders on Monday rushed to handle a zero-day distant code execution (RCE) vulnerability within the discussion board software program, someday after the difficulty was publicly disclosed.
Written in PHP, vBulletin is very standard amongst quite a few giant manufacturers, together with Digital Arts, Pearl Jam, Sony, Steam, Zynga, and others.
The newly disclosed vulnerability is expounded to CVE-2019-16759, a essential (CVSS rating of 9.8) zero-day RCE vulnerability in variations 5.Zero to five.Four that was disclosed final yr by an unknown researcher and was instantly exploited in dwell assaults.
On Sunday, safety researcher Amir Etemadieh printed data on a brand new vulnerability in vBulletin, explaining how it may be abused to bypass the patch launched in September 2019 for CVE-2019-16759, and likewise offering proof-of-concept (PoC) code that demonstrates how simply the flaw might be exploited.
Etemadieh, who recognized different extreme vulnerabilities in vBulletin earlier than, didn’t contact vBulletin previous to disclosing the brand new vulnerability, which doesn’t have a CVE identifier but.
The preliminary RCE flaw resides within the software program’s ajax/render/widget_php route and might be exploited by leveraging the widgetConfig parameter to inject code. Following the preliminary patch, vBulletin added extra code that will make sure the flaw can’t be triggered.
What Etemadieh found was that the style wherein the vBulletin template system is structured permits an attacker to bypass the repair for CVE-2019-16759. Particularly, the difficulty resides throughout the template “widget_tabbedcontainer_tab_panel,” which might load a user-controlled youngster template.
“The template hundreds the kid template by taking a worth from a individually named worth and inserting it right into a variable named ‘widgetConfig’,” the researcher notes, explaining that this habits permits for the bypass of all filtering in place to forestall the exploitation of CVE-2019-16759.
Etemadieh, who printed Bash, Python, and Metasploit exploits for the flaw, additionally stresses upon the truth that the simplicity of this vulnerability permits for exploitation utilizing a one-line command line exploit. The researcher additionally printed data on the right way to disable PHP widgets and mitigate the flaw.
Safety researchers at Tenable have analyzed Etemadieh’s exploit and confirmed that it’s working.
BlackHat and DEF CON founder Jeff Moss revealed on Twitter that hackers exploited the vulnerability in an assault aimed on the DEF CON discussion board inside hours after the general public disclosure. Others additionally reported being focused, in accordance with posts on the vBulletin discussion board.
On Monday, vBulletin introduced that patches had been out there for the 5.6.0, 5.6.1, and 5.6.2 variations of vBulletin Join. The fixes take away the PHP Module. A full patch can be included within the subsequent construct of 5.6.three and the PHP Module can be fully eliminated in vBulletin 5.6.4.
Websites utilizing vBulletin Cloud are usually not impacted by the vulnerability.
“All older variations needs to be thought-about susceptible. Websites operating older variations of vBulletin should be upgraded to vBulletin 5.6.2 as quickly as attainable,” vBulletin stated.
Associated: vBulletin Patches Vulnerability Exploited within the Wild
Associated: Researchers Reveal Particulars on 5 Home windows Zero Days
Associated: Apple Patches Current iPhone Jailbreak Zero-Day