|The Darknets News Hacker News - leading source of Information Security, latest Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events.|
vBulletin fixes ridiculously easy to exploit zero-day RCE bug
A simple one-line exploit has been published for a zero-day pre-authentication remote code execution (RCE) vulnerability in the vBulletin forum software.
vBulletin is an immensely popular online forum software utilized by large brands such as Electronic Arts, Zynga, Sony, Pearl Jam, NASA, Steam, and many more.
In September 2019, an unknown security researcher [Ссылки могут видеть только зарегистрированные пользователи. ] in vBulletin's versions 5.0 through 5.4, which was tracked as [Ссылки могут видеть только зарегистрированные пользователи. ].
Using this vulnerability, attackers could remotely exploit a bug in vBulletin's PHP Module to execute any PHP command on the remote server without logging into the forum.
This vulnerability was given a 'Critical' severity rating of 9.8/10 due to its ease of use and its ability to remotely execute commands on vulnerable vBulletin servers.
Yesterday, security researcher Amir Etemadieh ([Ссылки могут видеть только зарегистрированные пользователи. ]) disclosed a [Ссылки могут видеть только зарегистрированные пользователи. ] that bypasses the patch issued in 2019 for the original CVE-2019-16759 vulnerability.
This exploit is ridiculously easy to use and allows anyone to remotely execute commands using a single one-line command that sends a POST request to a vBulletin server, as illustrated in the image below.
PoC of vBulletin zero-day
Source: [Ссылки могут видеть только зарегистрированные пользователи. ]
In a conversation with BleepingComputer, Etemadieh stated that he publicly disclosed the vulnerability as vBulletin failed to properly patch it the first time and he was able to offer a mitigation as part of the disclosure.
"I felt that with it having already been a critical vulnerability that they failed to patch a year prior. Releasing full disclosure was the best path."
"I also provided a fix with the disclosure to allow any customers a quick method to immediately prevent an attacker from being able to reach the vulnerable code."
"Companies need to take security seriously, researchers cannot constantly provide free labor to identify vulnerabilities."
"Something I always like to point out to the public is that, I do not create the vulnerabilities in the code, I only provide the free labor to expose them," Etemadieh told BleepingComputer.
Attacks began immediately
Soon after the zero-day was published, vBulletin sites were already under attack.
According to Jeff Moss, aka The Dark Tangent and the creator of the Black Hat and Defcon security conferences, the defcon.org forum was attacked with this exploit three hours after it was disclosed.
vBulletin's forum also went offline earlier today as they were presumably applying a patch to fix the vulnerability.
vBulletin releases a quick fix for zero-day bug
Due to the ease of use and severity of this vulnerability, BleepingComputer decided to hold off on reporting about it until a patch was available.
As of this afternoon, vBulletin has released a patch that disables the PHP module in vBulletin to mitigate the vulnerability.
"All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible. For more information on upgrading please see Quick Overview: [Ссылки могут видеть только зарегистрированные пользователи. ] in the support forums," vBulletin's [Ссылки могут видеть только зарегистрированные пользователи. ].
vBulletin states that this module will be removed entirely in version 5.6.4.
For users who are running production servers, you can also mitigate the vulnerability by performing the following steps:
Put the site into [Ссылки могут видеть только зарегистрированные пользователи. ].
Log into the AdminCP.
Go to Styles -> Style Manager.
Open the template list for the MASTER style.
Scroll to the bottom where it says Module Templates.
Highlight the widget_php module.
Click the Revert Button.
This will completely delete the template from your site and make the PHP Module inoperative.
All vBulletin users should immediately install the patch or apply the mitigation steps above before their servers are compromised by hackers.
Update 8/10/20: Added statement from Amir Etemadieh.
|Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)|
|Опции темы||Поиск в этой теме|