Home » How to remove » Malicious process » Developers released a patch for the 0-day bug in vBulletin, but it turned out that the vulnerability had been exploited for years.

Developers released a patch for the 0-day bug in vBulletin, but it turned out that the vulnerability had been exploited for years.

Yesterday it was reported that a certain anonymous researcher published in the public domain details of the dangerous zero-day vulnerability in the vBulletin forum engine, as well as an exploit for it. Now it turned out that this vulnerability has been exploited for years.

The bug allows an attacker to execute shell commands on a vulnerable server. Moreover, an attacker just needs to use a simple HTTP POST request and does not need to have an account on the targeted forum, that is, the problem belongs to the unpleasant class of pre-authentication vulnerabilities.

“Essentially, any attack exploits a super simple command injection. An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins’ system-level user account has access to”, — Ryan Seguin, a research engineer at Tenable, told.

Now on the GitHub arrived a more detailed description of the problem, and a script has also been published on the network to search for vulnerable servers. VBulletin users, in turn, have already begun reporting about attacks on their forums. Some even complain about the complete removal of the database with this bug.

Interestingly, after the publication of vulnerability data, the head of Zerodium, Chauki Bekrar, said on Twitter that his company and customers had been aware of this problem for three years, and exploits for it had long been sold on the black market.

“The recent vBulletin pre-auth RCE 0-day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit. Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years”, — wrote Chaouki Bekrar.

Since the developers of vBulletin were silent, IS expert Nick Cano promptly prepared an unofficial patch for this bug. To use it, just edit includes/vb5/frontend/controller/bbcode.php accordingly.

READ  Anonymous publishes exploit for 0-day vulnerability in vBulletin

Finally, on the evening of September 25, vBulletin developers broke silence and announced the release of a patch for vBulletin version 5.5.X. The vulnerability was assigned the identifier CVE-2019-16759.

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply