vBulletin developers on Monday rushed to address a zero-day remote code execution (RCE) vulnerability in the forum software, one day after the issue was publicly disclosed.
Written in PHP, vBulletin is highly popular among numerous large brands, including Electronic Arts, Pearl Jam, Sony, Steam, Zynga, and others.
The newly disclosed vulnerability is related to CVE-2019-16759, a critical (CVSS score of 9.8) zero-day RCE vulnerability in versions 5.0 to 5.4 that was disclosed last year by an unknown researcher and was immediately exploited in live attacks.
On Sunday, security researcher Amir Etemadieh published information on a new vulnerability in vBulletin, explaining how it can be abused to bypass the patch released in September 2019 for CVE-2019-16759, and also providing proof-of-concept (PoC) code that demonstrates how easily the flaw can be exploited.
Etemadieh, who identified other severe vulnerabilities in vBulletin before, did not contact vBulletin prior to disclosing the new vulnerability, which does not have a CVE identifier yet.
The initial RCE flaw resides in the software’s ajax/render/widget_php route and can be exploited by leveraging the widgetConfig parameter to inject code. Following the initial patch, vBulletin added more code that would ensure the flaw cannot be triggered.
What Etemadieh discovered was that the manner in which the vBulletin template system is structured allows an attacker to bypass the fix for CVE-2019-16759. Specifically, the issue resides within the template “widget_tabbedcontainer_tab_panel,” which can load a user-controlled child template.
“The template loads the child template by taking a value from a separately named value and placing it into a variable named ‘widgetConfig’,” the researcher notes, explaining that this behavior allows for the bypass of all filtering in place to prevent the exploitation of CVE-2019-16759.
Etemadieh, who published Bash, Python, and Metasploit exploits for the flaw, also stresses upon the fact that the simplicity of this vulnerability allows for exploitation using a one-line command line exploit. The researcher also published information on how to disable PHP widgets and mitigate the flaw.
Security researchers at Tenable have analyzed Etemadieh’s exploit and confirmed that it is working.
BlackHat and DEF CON founder Jeff Moss revealed on Twitter that hackers exploited the vulnerability in an attack aimed at the DEF CON forum within hours after the public disclosure. Others also reported being targeted, according to posts on the vBulletin forum.
On Monday, vBulletin announced that patches were available for the 5.6.0, 5.6.1, and 5.6.2 versions of vBulletin Connect. The fixes remove the PHP Module. A full patch will be included in the next build of 5.6.3 and the PHP Module will be completely removed in vBulletin 5.6.4.
Sites using vBulletin Cloud are not impacted by the vulnerability.
“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” vBulletin said.