Developers released a patch for the 0-day bug in vBulletin, but it turned out that the vulnerability had been exploited for years.

Yesterday it was reported that a certain anonymous researcher published in the public domain details of the dangerous zero-day vulnerability in the vBulletin forum engine, as well as an exploit for it. Now it turned out that this vulnerability has been exploited for years.

The bug allows an attacker to execute shell commands on a vulnerable server. Moreover, an attacker just needs to use a simple HTTP POST request and does not need to have an account on the targeted forum, that is, the problem belongs to the unpleasant class of pre-authentication vulnerabilities.

“Essentially, any attack exploits a super simple command injection. An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins’ system-level user account has access to”, — Ryan Seguin, a research engineer at Tenable, told.

Now on the GitHub arrived a more detailed description of the problem, and a script has also been published on the network to search for vulnerable servers. VBulletin users, in turn, have already begun reporting about attacks on their forums. Some even complain about the complete removal of the database with this bug.

Interestingly, after the publication of vulnerability data, the head of Zerodium, Chauki Bekrar, said on Twitter that his company and customers had been aware of this problem for three years, and exploits for it had long been sold on the black market.

“The recent vBulletin pre-auth RCE 0-day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit. Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years”, — wrote Chaouki Bekrar.

Since the developers of vBulletin were silent, IS expert Nick Cano promptly prepared an unofficial patch for this bug. To use it, just edit includes/vb5/frontend/controller/bbcode.php accordingly.

Finally, on the evening of September 25, vBulletin developers broke silence and announced the release of a patch for vBulletin version 5.5.X. The vulnerability was assigned the identifier CVE-2019-16759.