A zero-day vulnerability has been revealed in the vBulletin forum software and may be exploited to launch remote code execution (RCE) attacks.
Internet Brands vBulletin is a forum and network software, with organizations such as NASA, EA, Steam and Zynga as customers.
Exploite.rs founder Amir Etemadieh, who is under the pseudonym @Zenofex, revealed Sunday’s error on day 0.
In a technical description of the vulnerability, the exploit developer explained that the challenge was due to a failed security solution for CVE-2019-16759.
By affecting vBulletin 5.0 to 5.4 and delivering a CVSS score of 9.8, the critical vulnerability allowed pre-authentication RCE attacks opposed to vBulletin forums to perform the widget_rendering style code.
A fix released on September 25, 2019, which adds a function to remove unauthorized “registered variables”.
In vBulletin 5.5.5, additional code has been added to create layers of redundancy, adding prevent users from modifying patterns to incorrectly call for purposes that can cause the exploit.
However, Etemadieh says the design of the vBulletin style formula is helping to avoid the solution.
Learn more about the latest security vulnerabilities
Styles are not written in PHP, but are processed and rendered through the style engine in PHP code, and styles can also be nested in other styles.
The past solution encounters disruption when using user-controlled child models, and when combined with widget_tabbedcontainer_tab_panel, which has the strength to load children’s models, it is possible to avoid all filters put in position to solve CVE-2019-16759.
In general, a command line of code is required to launch an RCE attack.
The official vBulletin forum offline on Monday (August 10), posting an apology message for the ‘maintenance’.
Jeff Moss, the founder of Black Hat and DEF CON, said on Twitter that within 3 hours of the disclosure of the vBulletin vulnerability, the DEF CON forum attacked. However, the team of occasions “is ready for that”.
A Python exploit, along with the Exploits Bash and Ruby, released as a component of vBulletin’s outreach.
A pull request was also sent for a Metasploit module for the metasploit-framework project.
READ ALSO Spouleur Alert: A decade after Stuxnet, the Windows printer remains a playground for days off
In addition, programmer Darren Martyn released an exploit of vBulletin, vBulldozer, on GitHub.
Described as a “noisy, dirty” feat with “zero stealth,” vBulldozer is a Python script that recursively attempts to place webshells in a directory to execute arbitrary PHP code.
“The component of publishing my studies on vBulletin is the option to leave for now,” Etemadieh said on Twitter.
“If someone is in favor of more vB errors, I’m sure they can shake the “tree models” a little more for some other day of vBulletin RCE.”
Speaking to the Daily Swig, Etemadieh said he had contacted the merchant prior to the disclosure.
“I felt that, being a critical vulnerable skill that they hadn’t been able to fix a year earlier, and with my ability to publish a transitority correction, it’s more productive for vBulletin consumers to take the full disclosure path,” he said.
As a short-term solution, forum webmasters are invited to disable PHP widgets and render the vBulletin Manager configuration panel.
To do this, users will need to access “Parameters” and set “Disable PHP rendering, static HTML and ad module” to “Yes”.
“[This] would possibly break some features, however, it will be from the attacks until a solution is released through vBulletin,” the developer said.
Late Monday night and after restoring the forum, vBulletin released a solution for vBulletin Connect versions 5.6.x.
There is no solution for the beta edition of Preview 5.6.3, however, a solution is planned for the next solid edition.
“All previous versions should be considered vulnerable,” says the vBulletin team. “Sites running earlier versions of vBulletin should be upgraded to vBulletin 5.6.2 as soon as possible.”
The Daily Swig has contacted vBulletin with more inquiries and will be updated when we hear it.
Unrectified vulnerabilities in the Tenda RECOMMENDED WiFi router leave home networks exposed to abuse
Suite Burp
Vulnerabilities
Customers
Company
Insights