DEF CON forums were attacked within hours of release
Internet Brands’ vBulletin is forum and community software, counting organizations such as NASA, EA, Steam, and Zynga among its customers.
Exploitee.rs founder Amir Etemadieh, who goes under the handle @Zenofex, disclosed the zero-day bug on Sunday.
Impacting vBulletin 5.0 through 5.4 and issued a CVSS score of 9.8, the critical vulnerability permitted pre-authentication RCE attacks against vBulletin forums made through the widget_rendering template code.
A patch was issued on September 25, 2019, adding functionality to remove non-allowed “registered variables”.
In vBulletin 5.5.5, additional code was added to create layers of redundancy, including preventing users from modifying templates to incorrectly call functions that could trigger the exploit.
However, Etemadieh says the vBulletin template system’s structure allows for the fix to be bypassed.
Templates are not written in PHP, but rather are processed and rendered by the template engine into PHP code, and templates can also be nested within other templates.
The previous patch runs into problems when user-controlled child templates are in use, and when combined with widget_tabbedcontainer_tab_panel – which has the power to load child templates – it is possible to bypass all filtering set in place to resolve CVE-2019-16759.
All in all, it takes only one line of command-line code to launch an RCE attack.
DEF CON attack
The official vBulletin forum was offline on Monday (August 10), displaying a message apologizing for “maintenance”.
Jeff Moss, the founder of Black Hat and DEF CON, said on Twitter that within three hours of the vBulletin vulnerability’s disclosure, the DEF CON forum was attacked. However, the events team was “ready for it”.
A Python exploit, alongside Bash and Ruby exploits, has been published as part of the vBulletin disclosure.
A pull request has also been submitted for a Metasploit module to the metasploit-framework project.
In addition, coder Darren Martyn published a vBulletin exploit, dubbed vBulldozer, on GitHub.
Described as a “loud, unclean” exploit with “zero stealth”, vBulldozer is a Python script that recursively attempts to drop webshells into every directory to execute arbitrary PHP code.
”The best part about releasing my vBulletin research is the ability to move on from it, for now,” Etemadieh said on Twitter.
“If anyone is looking for more vB bugs, I’m sure you could just shake the “template tree” a little more for another vBulletin RCE 0day.”
Speaking to The Daily Swig, Etemadieh said that he did not warn the vendor prior to disclosure.
“I felt that with it being a critical vulnerability that they failed to patch a year prior, and with my ability to release an interim fix, that it was best for vBulletin customers that I go the route of full disclosure,” he said.
As a short-term fix, forum webmasters are urged to disable PHP widgets and rendering via the vBulletin administrator control panel.
In order to do so, users must go to “Settings” and set “Disable PHP, Static HTML, and Ad Module rendering” to “yes”.
“[This] may break some functionality but will keep you safe from attacks until a patch is released by vBulletin,” the developer commented.
Late on Monday evening and after forum access was restored, vBulletin released a patch for vBulletin Connect versions 5.6.x.
A fix is not available for the pre-release 5.6.3 Beta build, but a patch is planned for the next stable release.
“All older versions should be considered vulnerable,” the vBulletin team says. “Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible.”
The Daily Swig has reached out to vBulletin with additional queries and will update when we hear back.