On Monday 23rd September 2019, a remote code execution (RCE) 0-day vulnerability was published by an anonymous security researcher on the full disclosure mailing list.
Note: vBulletin has patched the vulnerability on September 25 by releasing security patches. Nevertheless, not all websites have updated to the latest version.
This exploit permits hackers to carry out authentication-free RCE on the targeted origin server. In addition to the vBulletin vulnerability, ‘Google dorks’ which assist hackers in conducting passive reconnaissance to locate potentially vulnerable instances of the service in the wild were also disclosed.
This exploit affects all versions from 5.0.0 to 5.5.4.
This vulnerability permits any website visitors to execute PHP code and shell commands on the target site’s server.
The vulnerability occurs where URL parameters are shifted to a widget file inside the forum software. Such parameters are subsequently parsed on the server in the absence of any security checks. Therefore, the hacker may proceed to inject commands and remotely execute code on the targeted application server.
The exploit for this severe vulnerability permits the threat actor to produce a post request to the vulnerable instance of vBulletin, comprising the parameter “
In other words, this bug is due to the forum software’s widgets, which are rendered at runtime and employed to make dynamic widgets without needing to access the hosting server directly.
The security researcher discovered a method to force the website to render arbitrary widgets utilizing the ajax/render/widget_php path.
Given that the
Installing The NSE Script
A security researcher has released an NSE script on September 26 that not only scans and detects the vBulletin 5.x pre-auth RCE, but also exploits it, and produces a file on the vulnerable remote system.
1. Open a terminal in Linux. (You can install the NSE script in Kali Linux if you want.)
2. Start the cloning process and wait until it is done unpacking the objects.
3. Change the current working directory.
4. Copy the NSE script file.
Using The NSE Script With Nmap
Deploy the script using Nmap.
Examine The Results Of The NSE Script
Payloads Used With vBulletin Exploit
1. The hacker is deploying a payload which fundamentally alters the vulnerable snippet by inserting a password validation.
This serves as a method for hackers to retain access to websites they’ve compromised along with blocking other threat actors from getting inside.
From this moment on, the hacker may deploy his recently obtained website to achieve additional activities that will benefit them going forward.
2. The hacker is employing the shell_exec to utilize
3. The threat actor is possibly experimenting with the exploit by running the md5 function on a provided string.
In the event that the server returns the md5 hash, the exploit would have been successful.
4. The hacker is deploying the shell_exec function to run shell commands on the targeted server.
5. The hacker will utilize eval function, which is deployed to execute base64 decoded.
6. The threat actor is trying to read a remote file, proving that the server may run the hacker’s code.
7. The threat actor is leveraging the published exploit.