vBulletin 5.x 0day pre-auth RCE exploit

[ManagerJosh]

New 0Day just got dropped for vBulletin 5.x. It's believed that it impacts all versions from
vBulletin 5.0.0 till 5.5.4.

https://www.zdnet.com/article/anonymous-researcher-drops-vbulletin-zero-day-impacting-tens-of-thousands-of-sites/

https://thehackernews.com/2019/09/vbulletin-zero-day-exploit.html

 

[Kevin]

Should I be surprised or not that it looks like vB is not responding to this , that customers are coming up with an emergency patch on their own, and that the best advice at the moment is to turn off your site?*

Public thread: https://forum.vbulletin.com/forum/vbulletin-5-connect/vbulletin-5-connect-questions-problems-troubleshooting/vbulletin-5-support-issues-questions/4422616-important-vb5-remote-exploit-in-the-wild

Customer thread: https://forum.vbulletin.com/forum/vbulletin-sales-and-feedback/licensed-customer-feedback/4422608-vb-zero-day



* = Hah, I already know the answer to that question!

 

[ManagerJosh]

Also for those of you who are using vBulletin, I would strongly recommend going to DEF CON 1/RED ALERT. Raise Shields. Arm Torpedoes. Batten down hatches.

Take your forums firmly offline, get incident response firms to start erecting super high defenses, have them check your servers over with a very fine tooth comb, NGAV. Firewalls and WAFs are not going to cut it.

Adversaries are actively exploiting this flaw and planting web shells and other backdoors into your environment. The 0day gives Remote Command Execution - which means they can run commands remotely and install files, and access files on your server. Depending on how your server is configured, it means potentially EVERYTHING could be exposed, usernames, password hashes, database creds, etc.

 

[ManagerJosh]

Should I be surprised or not that it looks like vB is not responding to this , that customers are coming up with an emergency patch on their own, and that the best advice at the moment is to turn off your site?*

Public thread: https://forum.vbulletin.com/forum/vbulletin-5-connect/vbulletin-5-connect-questions-problems-troubleshooting/vbulletin-5-support-issues-questions/4422616-important-vb5-remote-exploit-in-the-wild

Customer thread: https://forum.vbulletin.com/forum/vbulletin-sales-and-feedback/licensed-customer-feedback/4422608-vb-zero-day



* = Hah, I already know the answer to that question!

FYI - Wayne closed both threads...

 

[Kevin]

FYI - Wayne closed both threads...

And moved the public thread to the closed off customer forum.

"Quick, brush it under the rug, maybe nobody will notice!"

 

[ManagerJosh]

For those of you who believe you're compromised or if you want to be somewhat preventative, feel free to DM me to see how we could raise some shields and see about properly cleaning your server.

 

[Joel R]

I'd be curious to see how the security / development team responds to the information.

How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.

 

[we_are_borg]

I'd be curious to see how the security / development team responds to the information.

How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.

Knowing them it will take lots of time to get a patch going. Until some hacker has the smart idea of hacking the servers of vBulletin.

 

[Alfa1]

A patch is available here:
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-53-and-5-5-4

 

[doubt]

New 0Day just got dropped for vBulletin 5.x. It's believed that it impacts all versions from
vBulletin 5.0.0 till 5.5.4.

Strange that they found it only now.

 

[Karll]

The Percona Forum was affected - I assume this is the same 0-day vulnernability:

https://www.percona.com/blog/2019/09/25/incident-involving-percona-forums-on-september-24-2019/

(Percona is a very prominent provider of support, consulting, managed services, training and software for open-source / source-available database systems such as MySQL, MariaDB, PostgreSQL and MongoDB. You may have heard of e.g. Percona Server for MySQL, the Xtrabackup tool for database backup, PMM or the Percona Toolkit.)

 

[feldon30]

A 0-day for vBulletin 5.x which has been circulating among hackers for (checks notes) ... 3 years:
https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/

 

[ManagerJosh]

A 0-day for vBulletin 5.x which has been circulating among hackers for (checks notes) ... 3 years:
https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/

My God. Three years! This only reinforces the point they don't know what they are doing!

 

[R0binHood]

At what point does a software company get big enough or have enough customers relying on their software that it becomes their responsibility to pay professional pen testers and security researchers to stress their code?

If researchers were were selling it and Zerodium customers were aware of it for as long as three years, surely they could have detected this far earlier if they were more proactive with their security practices?

 

[doubt]

A 0-day for vBulletin 5.x which has been circulating among hackers for (checks notes) ... 3 years:

I don't get it:

Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites
New zero-day could trigger a new forum hacking spree across the internet.


By Catalin Cimpanu for Zero Day | September 24, 2019 -- 21:26 GMT (07:26 AEST) | Topic: Security

Is it 3 years new(well, 3 years old) or has it been discovered recently?

 

[Karll]

I don't get it:


Is it 3 years new(well, 3 years old) or has it been discovered recently?

My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.

 

[doubt]

My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.

My understanding was after reading the article that it's NEW.

 

[BirdOPrey5]

Zerodium isn't "in the wild." It is uber expensive private, tightly guarded community that does not leak the exploits they know about because doing so will mean immediate patching like we saw yesterday. For 99.99% of the world it was new.

 

[feldon30]

My understanding was after reading the article that it's NEW.

Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.

 

[BirdOPrey5]

Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.

News flash- there has always AND WILL ALWAYS be a way for talented hackers and people with money to get into anything be it from a vBulletin exploit, a PHP exploit, or an OS exploit- all of which sites like Zeordium collect.

Also, as far as I know, vBulletin has never told anyone they didn't get hacked because of vBulletin... That said it still remains likely that most, if not every, site that noticed they were hacked in recent years (prior to 2 or 3 days ago) wasn't due to this. Frankly it was too valuable an exploit to do something like insert spam or deface a page and risk it becoming known.

Above is of course my OPINION as most anything I write here is unless otherwise stated.