Security researcher publishes details and exploit code for a vBulletin zero-day

Information Security Buzz
Thursday, August 13, 2020

• 4.5k
• More

A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin. The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. This previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).

Ilia Kolochenko, Founder and CEO, ImmuniWeb

Combined with the peak of summer holidays and Covid-19 disruption, this vulnerability may have quite disastrous and long-lasting consequences compared to similar ones disclosed in the past. The volume of personal data available in web forums is huge. Attackers will launch large-scale and automated hacking campaigns to later run password re-use and identity theft attacks, and extort money from those victims whose sensitive data was exposed in the forum’s private messages for example.

Worse, given that the security flaw allows a non-authenticated remote attacker to run arbitrary code on the server, not only the forum may be compromised but the entire web server and its environment. Cybercriminals commonly don’t take a summer vacation, and exploitation in the wild has reportedly already started. We can expect that the vast majority of vulnerable forums will be hacked and backdoored within the next 24 hours.

Administrators of the affected resources shall urgently apply the vendor-supplied patch, and consider putting the entire web server offline for investigation whether their forum has been compromised. Modern-day attackers usually install patches once their target is under control to preclude “competitors” from getting in. Thus, if your forum is somehow invulnerable, it’s rather an alarming sign. Read Full Article