Security researcher publishes details and exploit code for a vBulletin zero-day

Proof-of-concept exploit code available in Bash, Python, and Ruby.

vBulletin

Image: ZDNet

A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin, one of today's most popular forum software.

The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019.

The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).

CVE-2019-16759 was disclosed on September 24, 2019, and a patch was provided the next day, on September 25.

New zero-day bypasses CVE-2019-16759 patch

However, in a blog post published late Sunday night, Austin-based security researcher Amir Etemadieh said the CVE-2019-16759 "was inadequate in blocking exploitation."

The researcher said he found a simple way to bypass the patch and continue to exploit the same CVE-2019-16759 vulnerability, and published three proof-of-concepts in Bash, Python, and Ruby, to prove his point.

Etemadieh told ZDNet he did not contact and notify the vBulletin team before going public with his findings. MH Sub I, LLC, the company that commercializes the vBulletin forum software, has not returned a request for comment.

Forums are a common target for hackers

Either way, the new zero-day code is live and has been broadly shared on social media sites like Reddit and Twitter, and inside hacking communities hosted on private forums and Discord channels.

The publication of the September 2019 zero-day triggered a massive wave of vBulletin hacks last year, resulting in many companies disclosing security breaches over the following months.

Forums, in general, are some of the most sought after web technologies to hack. The reason why hackers put a primer on forums has to do with their purpose and the data they can steal.

Unlike most content management systems like WordPress, Drupal, or Joomla, online forums like vBulletin are built for the sole and primary purpose of managing online communities, and, as a result, hold large quantities of personal data.

A WordPress site may be used to run a wedding planner's or a lawyer's office website, but even the lowliest and unimportant forums have thousands of registered user profiles holding sensitive user details, along with user posts, personal messages, and sometimes even financial information, if the forums have pay-to-access features.

However, even if Etemadieh didn't make it clear if he notified the vBulletin team about his plans to reveal a zero-day, the researcher says forum owners can prevent exploitation by making the following modifications to their discussion board settings.

  1. Go to the vBulletin administrator control panel.
  2. Click "Settings" in the menu on the left, then "Options" in the dropdown.
  3. Choose "General Settings" and then click "Edit Settings"
  4. Look for "Disable PHP, Static HTML, and Ad Module rendering", Set to "Yes"
  5. Click "Save"

At the time of writing, at least one forum was confirmed to have been hacked using this new zero-day, the forum of the DEF CON security conference, which just recently concluded over the weekend.

Updated at 19:30 ET to add that the vBulletin team has released a patch. MITRE has assigned this new zero-day the identifier of CVE-2020-17496.