vBulletin 5.x 0day pre-auth RCE exploit

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,402
Should I be surprised or not that it looks like vB is not responding to this :cautious:, that customers are coming up with an emergency patch on their own, and that the best advice at the moment is to turn off your site?*

Public thread: https://forum.vbulletin.com/forum/vbulletin-5-connect/vbulletin-5-connect-questions-problems-troubleshooting/vbulletin-5-support-issues-questions/4422616-important-vb5-remote-exploit-in-the-wild

Customer thread: https://forum.vbulletin.com/forum/vbulletin-sales-and-feedback/licensed-customer-feedback/4422608-vb-zero-day



* = Hah, I already know the answer to that question! :LOL:
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
331
Also for those of you who are using vBulletin, I would strongly recommend going to DEF CON 1/RED ALERT. Raise Shields. Arm Torpedoes. Batten down hatches.

Take your forums firmly offline, get incident response firms to start erecting super high defenses, have them check your servers over with a very fine tooth comb, NGAV. Firewalls and WAFs are not going to cut it.

Adversaries are actively exploiting this flaw and planting web shells and other backdoors into your environment. The 0day gives Remote Command Execution - which means they can run commands remotely and install files, and access files on your server. Depending on how your server is configured, it means potentially EVERYTHING could be exposed, usernames, password hashes, database creds, etc.
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
331
Should I be surprised or not that it looks like vB is not responding to this :cautious:, that customers are coming up with an emergency patch on their own, and that the best advice at the moment is to turn off your site?*

Public thread: https://forum.vbulletin.com/forum/vbulletin-5-connect/vbulletin-5-connect-questions-problems-troubleshooting/vbulletin-5-support-issues-questions/4422616-important-vb5-remote-exploit-in-the-wild

Customer thread: https://forum.vbulletin.com/forum/vbulletin-sales-and-feedback/licensed-customer-feedback/4422608-vb-zero-day



* = Hah, I already know the answer to that question! :LOL:
FYI - Wayne closed both threads... o_O
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
331
For those of you who believe you're compromised or if you want to be somewhat preventative, feel free to DM me to see how we could raise some shields and see about properly cleaning your server.
 

Joel R

Fan
Joined
Nov 24, 2013
Messages
738
I'd be curious to see how the security / development team responds to the information.

How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,371
I'd be curious to see how the security / development team responds to the information.

How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.
Knowing them it will take lots of time to get a patch going. Until some hacker has the smart idea of hacking the servers of vBulletin.
 

Karll

Adherent
Joined
Dec 9, 2011
Messages
408
The Percona Forum was affected - I assume this is the same 0-day vulnernability:

https://www.percona.com/blog/2019/09/25/incident-involving-percona-forums-on-september-24-2019/

(Percona is a very prominent provider of support, consulting, managed services, training and software for open-source / source-available database systems such as MySQL, MariaDB, PostgreSQL and MongoDB. You may have heard of e.g. Percona Server for MySQL, the Xtrabackup tool for database backup, PMM or the Percona Toolkit.)
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,322
At what point does a software company get big enough or have enough customers relying on their software that it becomes their responsibility to pay professional pen testers and security researchers to stress their code?

If researchers were were selling it and Zerodium customers were aware of it for as long as three years, surely they could have detected this far earlier if they were more proactive with their security practices?
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,846
A 0-day for vBulletin 5.x which has been circulating among hackers for (checks notes) ... 3 years:
I don't get it:
Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites
New zero-day could trigger a new forum hacking spree across the internet.


By Catalin Cimpanu for Zero Day | September 24, 2019 -- 21:26 GMT (07:26 AEST) | Topic: Security
Is it 3 years new(well, 3 years old) or has it been discovered recently?
 

Karll

Adherent
Joined
Dec 9, 2011
Messages
408
I don't get it:


Is it 3 years new(well, 3 years old) or has it been discovered recently?
My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,846
My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.
My understanding was after reading the article that it's NEW.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
Zerodium isn't "in the wild." It is uber expensive private, tightly guarded community that does not leak the exploits they know about because doing so will mean immediate patching like we saw yesterday. For 99.99% of the world it was new.
 

feldon30

Adherent
Joined
Jun 7, 2013
Messages
431
My understanding was after reading the article that it's NEW.
Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.
News flash- there has always AND WILL ALWAYS be a way for talented hackers and people with money to get into anything be it from a vBulletin exploit, a PHP exploit, or an OS exploit- all of which sites like Zeordium collect.

Also, as far as I know, vBulletin has never told anyone they didn't get hacked because of vBulletin... That said it still remains likely that most, if not every, site that noticed they were hacked in recent years (prior to 2 or 3 days ago) wasn't due to this. Frankly it was too valuable an exploit to do something like insert spam or deface a page and risk it becoming known.

Above is of course my OPINION as most anything I write here is unless otherwise stated.
 
Top