The bug allows an attacker to execute shell commands on a vulnerable server. Moreover, an attacker just needs to use a simple HTTP POST request and does not need to have an account on the targeted forum, that is, the problem belongs to the unpleasant class of pre-authentication vulnerabilities.
“Essentially, any attack exploits a super simple command injection. An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins’ system-level user account has access to”, — Ryan Seguin, a research engineer at Tenable, told.
Now on the GitHub arrived a more detailed description of the problem, and a script has also been published on the network to search for vulnerable servers. VBulletin users, in turn, have already begun reporting about attacks on their forums. Some even complain about the complete removal of the database with this bug.
Interestingly, after the publication of vulnerability data, the head of Zerodium, Chauki Bekrar, said on Twitter that his company and customers had been aware of this problem for three years, and exploits for it had long been sold on the black market.
“The recent vBulletin pre-auth RCE 0-day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit. Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years”, — wrote Chaouki Bekrar.
Since the developers of vBulletin were silent, IS expert Nick Cano promptly prepared an unofficial patch for this bug. To use it, just edit includes/vb5/frontend/controller/bbcode.php accordingly.
Finally, on the evening of September 25, vBulletin developers broke silence and announced the release of a patch for vBulletin version 5.5.X. The vulnerability was assigned the identifier CVE-2019-16759.
About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…
About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…
About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…
About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…
About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…
About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…