Recently, vBulletin addressed a zero-day vulnerability that was quickly exploited. The bug appeared as a result of bypassing the patch for a previously known and fixed vulnerability.
vBulletin Zero-Day Due To Failed CVE-2019-16759 Fix
Reportedly, in 2019, a security researcher discovered a critical vulnerability in vBulletin 5.0 to 5.4. As revealed through the full disclosure, the bug could allow PHP remote code execution upon exploitation. It received the CVE ID CVE-2019-16759 with a critical severity rating and a CVSS score of 9.8.
Within three days of disclosure, the vendors deployed a fix for the flaw.
However, recently, another security researcher Amir Etemadieh discovered that the fix had a security issue and could find a way to bypass the patch and exploit the flaw. He even shared the PoCs for it in Bash, Python, and Ruby.
Today I released my research on vBulletin5 including a new pre-auth 0day RCE exploithttps://t.co/m7pd527lCr
POC: curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[template]=widget_php&subWidgets[config][code]=echo%20shell_exec("id"); exit;' pic.twitter.com/JjThUBVTmc
— Amir Etemadieh (@Zenofex) August 9, 2020
Sharing the details in a blog post, the researcher revealed that the problems existed in the vBulletin template structure. As stated,
Specifically, templates aren’t actually written in PHP but instead are written in a language that is first processed by the template engine and then is output as a string of PHP code that is later ran through an eval() during the “rendering” process.
Furthermore, the templates could have numerous child templates after being nested. This structure triggered numerous security bugs. A bug in one template could expose other code too, including the parent template.
Thus, the researcher could bypass the fix by exploiting the template “widget_tabbedcontainer_tab_panel” that had two features.
1. The templates ability to load a user controlled child template.
2. The template loads the child template by taking a value from a separately named value and placing it into a variable named “widgetConfig”.
He has also shared a detailed presentation for anyone to test the exploit.
vBulletin Released Another Patch
Upon discovering the flaw, the researcher did not disclose the vulnerability privately to the vendors and instead disclosed the details online.
Shortly after the disclosure, attackers exploited the vulnerability to hack the DEFCON forum.
A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete – within three hours https://t.co/LwbPuEoL5b was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched! https://t.co/7JtmEzcTFG pic.twitter.com/R4AcCoZt1B
— Jeff Moss (@thedarktangent) August 10, 2020
vBulletin has recently released a fix for this flaw as well. As announced, they have fixed the bug with the release of vBulletin Connect versions 5.6.2, 5.6.1, and 5.6.0. Whereas, it did not affect vBulletin Cloud sites.
Let us know your thoughts in the comments.