Rash of Exploits Targets Critical vBulletin RCE Bug

A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild, allowing unauthenticated attackers to take control of web hosts.

A zero-day proof-of-concept code was anonymously published on Monday, ahead of vBulletin issuing a patch. Also, Tenable vice president of intelligence Gavin Millard said via email that there is now a script to leverage Shodan and mass identify thousands of vulnerable systems.

Bug Details

A successful exploit would allow an attacker to take control of a site using vBulletin, a popular platform for powering online forums and communities.

According to Sucuri researcher Marc-Alexandre Montpas, the bug is caused by a flaw in vBulletin’s PHP widgets, which are rendered at runtime and used to create dynamic widgets without having to directly access the hosting server.

“The researcher found a way to force the site to render arbitrary widgets using the ajax/render/widget_php route,” he explained in a blog post this week. “Since the evalCode callback does exactly what you think it does, essentially running eval on the code it is fed, this makes it possible to run arbitrary code on the underlying server.”

Tenable Research analysis showed that an unauthenticated attacker can exploit the issue by sending a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.

“These commands would be executed with the permissions of the user account that the vBulletin service is utilizing,” said Tenable researcher Ryan Seguin, in the analysis. “Depending on the service user’s permissions, this could allow complete control of a host….the published exploit code returns its successful execution in a JSON formatted response.”

The fix is for versions 5.5.2, 5.5.3 and 5.5.4; users on earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch. The fix has also been applied to the cloud version of the platform.

Administrators should apply the patch as soon as possible.

Montpas warned, “This vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server. As if it wasn’t bad enough, this bug doesn’t require the attacker to have any kind of privilege to conduct a successful attack. vBulletin’s default settings also make the vulnerable endpoint accessible by default.”

Attacks in the Wild

Sucuri and Tenable telemetry has identified a rash of attacks already taking place in the wild, just days after the PoC was dropped on Securelist.

“The payload attackers are using is very interesting: It essentially modifies the vulnerable snippet by adding a password validation,” Montpas noted. “This is a way for attackers to maintain access to sites they’ve hacked for themselves, as well as lock out other potential hackers from getting in. From this point, the bad actor can use his newly acquired site to do other malicious things in the future.”

To find out if a site has been compromised, the researcher said to look for “ajax/render/widget_php” in the access logs. That’s because some of the parameters used in the attacks can be located on POST requests, which wouldn’t leave any traces in the logs.

Mike Bittner, associate director of Digital Security and Operations at The Media Trust, said that it was just a matter of time before bad actors fixed their crosshairs on forums, which are rich storehouses of user information.

“The argument that many of today’s sites do not collect users’ information betrays a very uninformed notion of how websites work,” he said via email. “Most, if not all, of today’s websites are built using a vendor’s platform. If you’re a small business, you probably don’t have the time or the money to build your own platform. If you’re a medium-sized or large organization, you don’t have the time or money to build a platform with all the bells and whistles users have come to expect. Forums are just one example. Unfortunately, vendors that supply these features too often collect information on users without site owners’ authorization, while failing to equip their products with the needed security and privacy protections, leaving website owners to fend for themselves and shoulder the blame for any data breaches involving their sites. In an environment where bad actors are always looking out for vulnerabilities they can exploit or well-intentioned products like vBulletin they can abuse, site owners will need to close the security gaps themselves–ideally by carefully vetting their vendors and ensuring those vendors observe digital policies.”

_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _Threatpost webinar_, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” _Click here to register.