Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites

New zero-day could trigger a new forum hacking spree across the internet.
Written by Catalin Cimpanu, Contributor
Image: ZDNet

An anonymous security researcher has published details about a zero-day in vBulletin, today's most popular internet forum software.

Because of this individual's actions, security experts are now concerned that the publication of details about this unpatched vulnerability could trigger a wave of forum hacks across the internet, with hackers taking over forum installations and stealing user information in bulk, as a result.

Zero-day details

According to an analysis of the published code, the zero-day allows an attacker to execute shell commands on the server running a vBulletin installation. The attacker doesn't need to have an account on the targeted forum.

In infosec lingo, this is what security experts call a "pre-authentication remote code execution" vulnerability, one of the worst types of security flaws that can impact a web-based platform.

ZDNet confirmed that this zero-day works as advertised with two different sources.

Unclear if sabotage or failed disclosure

Details about this zero-day have been published on Full Disclosure, a public access mailing list.

It is not uncommon for security researchers to release details about unpatched security flaws when vendors fail to patch a vulnerability that's been privately reported.

However, at the time of writing, it is unclear if the anonymous researcher reported the vulnerability to the vBulletin team, or if the vBulletin team failed to address this issue in a timely manner, prompting the researcher to go public as a result.

MH Sub I, LLC, the company that commercializes the vBulletin forum software, has not returned a request for comment.

In addition, this could also be an act of intentional malice or sabotage, with the anonymous researcher dropping a zero-day just to hurt a company's reputation and put its customers at risk.

The researcher published details about this zero-day from an anonymous email service, without revealing their actual email address, so ZDNet wasn't able to reach out for additional details.

Tens of thousands of vulnerable forums

Despite being a commercial product, vBulletin is today's most popular web forum software package, with a larger market share than open-source solutions like phpBB, XenForo, Simple Machines Forum, MyBB, and others.

According to W3Techs, around 0.1% of all internet sites run a vBulletin forum. The percentage looks small, but it actually impacts billions of internet users.

This is because, by their nature, forums are designed to collect user information about registered users. While billions of internet sites don't store any info about users, a handful of online forums could very easily store data on most internet users. Therefore, a market share of 0.1% is actually pretty significant, when we factor in how many users could be registered on these forums.

Google dorks reveal that there are tens of thousands of vBulletin forums running across the internet, as self-hosted installations, or running on vBulletin's hosting infrastructure. On its website, vBulletin lists some pretty big names as customers, such as Steam, EA, Zynga, NASA, Sony, BodyBuilding.com, the Houston Texans, and the Denver Broncos.

The only good news is that this zero-day only works against vBulletin 5.x forum versions. Forums running earlier versions are safe, if running up-to-date security patches.

Zerodium, a company that buys exploits in web-based software to resell to law enforcement agencies, lists vBulletin remote code execution vulnerabilities in its exploit acquisition program.

This is because many dark web forums, such as those peddling criminal services, malware, or child abuse images, often run on vBulletin forums -- and these types of exploits could grant law enforcement agencies access to these illegal forums.

According to the company's price chart, this type of pre-auth RCE could have gotten the anonymous researcher up to $10,000 in cash rewards, if he only would have contacted the company instead of publishing the exploit online and putting everyone's forum data at risk.

Updated on September 25, 04:00am ET, to add that since this article's publication, security researchers have released an unofficial patch, a script to detect vulnerable vBulletin servers across the internet, and a more in-depth analysis of the vulnerability.

Updated on September 25, 07:15pm ET, to add that the vBulletin team has released a patch for this vulnerability, which is now tracked under the CVE-2019-16759. ZDNet has also confirmed with Bad Packets, BinaryEdge, and GeryNoise that hackers are now actively using this vulnerability to attack vulnerable forums.

HackerOne's top 20 public bug bounty programs

Editorial standards