vBulletin 5.x 0day pre-auth RCE exploit

Kevin

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,451
ManagerJosh

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
344
Also for those of you who are using vBulletin, I would strongly recommend going to DEF CON 1/RED ALERT. Raise Shields. Arm Torpedoes. Batten down hatches.

Take your forums firmly offline, get incident response firms to start erecting super high defenses, have them check your servers over with a very fine tooth comb, NGAV. Firewalls and WAFs are not going to cut it.

Adversaries are actively exploiting this flaw and planting web shells and other backdoors into your environment. The 0day gives Remote Command Execution - which means they can run commands remotely and install files, and access files on your server. Depending on how your server is configured, it means potentially EVERYTHING could be exposed, usernames, password hashes, database creds, etc.
 
ManagerJosh

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
344
Kevin said:
Should I be surprised or not that it looks like vB is not responding to this :cautious:, that customers are coming up with an emergency patch on their own, and that the best advice at the moment is to turn off your site?*

Public thread: https://forum.vbulletin.com/forum/v...2616-important-vb5-remote-exploit-in-the-wild

Customer thread: https://forum.vbulletin.com/forum/v...icensed-customer-feedback/4422608-vb-zero-day



* = Hah, I already know the answer to that question! :LOL:
Click to expand...
FYI - Wayne closed both threads... o_O
 
ManagerJosh

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
344
For those of you who believe you're compromised or if you want to be somewhat preventative, feel free to DM me to see how we could raise some shields and see about properly cleaning your server.
 
Joel R

Joel R

Habitué
Joined
Nov 24, 2013
Messages
1,035
I'd be curious to see how the security / development team responds to the information.

How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.
 
we_are_borg

we_are_borg

Tazmanian
Joined
Jan 25, 2011
Messages
5,964
Joel R said:
I'd be curious to see how the security / development team responds to the information.

How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.
Click to expand...

Knowing them it will take lots of time to get a patch going. Until some hacker has the smart idea of hacking the servers of vBulletin.
 
Karll

Karll

Adherent
Joined
Dec 9, 2011
Messages
452
The Percona Forum was affected - I assume this is the same 0-day vulnernability:

https://www.percona.com/blog/2019/09/25/incident-involving-percona-forums-on-september-24-2019/

(Percona is a very prominent provider of support, consulting, managed services, training and software for open-source / source-available database systems such as MySQL, MariaDB, PostgreSQL and MongoDB. You may have heard of e.g. Percona Server for MySQL, the Xtrabackup tool for database backup, PMM or the Percona Toolkit.)
 
R0binHood

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,606
At what point does a software company get big enough or have enough customers relying on their software that it becomes their responsibility to pay professional pen testers and security researchers to stress their code?

If researchers were were selling it and Zerodium customers were aware of it for as long as three years, surely they could have detected this far earlier if they were more proactive with their security practices?
 
doubt

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,898
feldon30 said:
A 0-day for vBulletin 5.x which has been circulating among hackers for (checks notes) ... 3 years:
Click to expand...

I don't get it:
Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites
New zero-day could trigger a new forum hacking spree across the internet.


By Catalin Cimpanu for Zero Day | September 24, 2019 -- 21:26 GMT (07:26 AEST) | Topic: Security
Click to expand...

Is it 3 years new(well, 3 years old) or has it been discovered recently?
 
Karll

Karll

Adherent
Joined
Dec 9, 2011
Messages
452
doubt said:
I don't get it:


Is it 3 years new(well, 3 years old) or has it been discovered recently?
Click to expand...
My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.
 
doubt

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,898
Karll said:
My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.
Click to expand...
My understanding was after reading the article that it's NEW.
 
BirdOPrey5

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
Zerodium isn't "in the wild." It is uber expensive private, tightly guarded community that does not leak the exploits they know about because doing so will mean immediate patching like we saw yesterday. For 99.99% of the world it was new.
 
feldon30

feldon30

Fan
Joined
Jun 7, 2013
Messages
526
doubt said:
My understanding was after reading the article that it's NEW.
Click to expand...
Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.
 
BirdOPrey5

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
feldon30 said:
Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.
Click to expand...

News flash- there has always AND WILL ALWAYS be a way for talented hackers and people with money to get into anything be it from a vBulletin exploit, a PHP exploit, or an OS exploit- all of which sites like Zeordium collect.

Also, as far as I know, vBulletin has never told anyone they didn't get hacked because of vBulletin... That said it still remains likely that most, if not every, site that noticed they were hacked in recent years (prior to 2 or 3 days ago) wasn't due to this. Frankly it was too valuable an exploit to do something like insert spam or deface a page and risk it becoming known.

Above is of course my OPINION as most anything I write here is unless otherwise stated.
 
You must log in or register to reply here.
Top