May 25, 2022


Come Home To Quality

Security researcher publishes details and exploit code for a vBulletin zero-day


Picture: ZDNet

A safety researcher has revealed aspects and proof-of-principle exploit code for a zero-working day vulnerability in vBulletin, 1 of today’s most well-liked forum software.

The zero-working day is a bypass for a patch from a past vBulletin zero-working day — particularly CVE-2019-16759, disclosed in September 2019.

The preceding zero-working day permitted attackers to exploit a bug in the vBulletin template system to run destructive code and choose about community forums without having needing to authenticate on the victim sites (a sort of bug termed a pre-auth RCE).

CVE-2019-16759 was disclosed on September 24, 2019, and a patch was offered the future working day, on September 25.

New zero-day bypasses CVE-2019-16759 patch

Nevertheless, in a site submit revealed late Sunday night, Austin-based mostly security researcher Amir Etemadieh explained the CVE-2019-16759 “was inadequate in blocking exploitation.”

The researcher stated he located a very simple way to bypass the patch and continue on to exploit the similar CVE-2019-16759 vulnerability, and revealed 3 evidence-of-ideas in Bash, Python, and Ruby, to confirm his point.

Etemadieh informed ZDNet he did not call and notify the vBulletin staff prior to likely public with his conclusions. MH Sub I, LLC, the business that commercializes the vBulletin forum software program, has not returned a ask for for remark.

Forums are a popular focus on for hackers

Possibly way, the new zero-working day code is dwell and has been broadly shared on social media web sites like Reddit and Twitter, and inside hacking communities hosted on personal message boards and Discord channels.

The publication of the September 2019 zero-working day brought on a huge wave of vBulletin hacks past yr, resulting in lots of businesses disclosing safety breaches about the subsequent months.

Discussion boards, in general, are some of the most sought following web technologies to hack. The rationale why hackers put a primer on discussion boards has to do with their purpose and the data they can steal.

Compared with most written content administration methods like WordPress, Drupal, or Joomla, on-line discussion boards like vBulletin are created for the sole and main intent of running on line communities, and, as a final result, maintain big quantities of private info.

A WordPress website may be made use of to run a wedding planner’s or a lawyer’s business internet site, but even the lowliest and unimportant forums have 1000’s of registered user profiles holding delicate person aspects, along with consumer posts, private messages, and occasionally even money info, if the message boards have pay out-to-obtain capabilities.

On the other hand, even if Etemadieh didn’t make it very clear if he notified the vBulletin staff about his options to expose a zero-working day, the researcher says discussion board owners can avoid exploitation by earning the following modifications to their dialogue board configurations.

  1. Go to the vBulletin administrator manage panel.
  2. Click “Configurations” in the menu on the remaining, then “Choices” in the dropdown.
  3. Select “Common Configurations” and then click on “Edit Settings”
  4. Glance for “Disable PHP, Static HTML, and Ad Module rendering”, Established to “Of course”
  5. Click “Conserve”

At the time of composing, at least one discussion board was verified to have been hacked employing this new zero-working day, the forum of the DEF CON stability conference, which just a short while ago concluded more than the weekend.

Updated at 19:30 ET to add that the vBulletin workforce has released a patch. MITRE has assigned this new zero-working day the identifier of CVE-2020-17496.