News

Developers released a patch for the 0-day bug in vBulletin, but it turned out that the vulnerability had been exploited for years.

Yesterday it was reported that a certain anonymous researcher published in the public domain details of the dangerous zero-day vulnerability in the vBulletin forum engine, as well as an exploit for it. Now it turned out that this vulnerability has been exploited for years.

The bug allows an attacker to execute shell commands on a vulnerable server. Moreover, an attacker just needs to use a simple HTTP POST request and does not need to have an account on the targeted forum, that is, the problem belongs to the unpleasant class of pre-authentication vulnerabilities.

“Essentially, any attack exploits a super simple command injection. An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins’ system-level user account has access to”, — Ryan Seguin, a research engineer at Tenable, told.

Now on the GitHub arrived a more detailed description of the problem, and a script has also been published on the network to search for vulnerable servers. VBulletin users, in turn, have already begun reporting about attacks on their forums. Some even complain about the complete removal of the database with this bug.

Interestingly, after the publication of vulnerability data, the head of Zerodium, Chauki Bekrar, said on Twitter that his company and customers had been aware of this problem for three years, and exploits for it had long been sold on the black market.

“The recent vBulletin pre-auth RCE 0-day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit. Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years”, — wrote Chaouki Bekrar.

Since the developers of vBulletin were silent, IS expert Nick Cano promptly prepared an unofficial patch for this bug. To use it, just edit includes/vb5/frontend/controller/bbcode.php accordingly.

Finally, on the evening of September 25, vBulletin developers broke silence and announced the release of a patch for vBulletin version 5.5.X. The vulnerability was assigned the identifier CVE-2019-16759.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Adblockelite.xyz Pop-up Ads

About Adblockelite.xyz Adblockelite.xyz pop-ups can not open out of nowhere. If you have clicked some…

11 hours ago

Remove Appcloud-center.com Pop-up Ads

About Appcloud-center.com Appcloud-center.com pop-ups can not open out of nowhere. If you have actually clicked…

11 hours ago

Remove Groopheetex.com Pop-up Ads

About Groopheetex.com Groopheetex.com pop-ups can not expose out of nowhere. If you have clicked on…

11 hours ago

Remove Vidstreambox.com Pop-up Ads

About Vidstreambox.com Vidstreambox.com pop-ups can not expose out of the blue. If you have actually…

11 hours ago

Remove Mac-uptodate.com Pop-up Ads

About Mac-uptodate.com Mac-uptodate.com pop-ups can not introduce out of the blue. If you have actually…

11 hours ago

Remove Taffetlervers.com Pop-up Ads

About Taffetlervers.com Taffetlervers.com pop-ups can not expose out of the blue. If you have clicked…

11 hours ago