This article originally appeared in SC Magazine on September 25, 2019.
The vBulletin internet forum software package reportedly contains a critical zero-day remote code execution vulnerability that attackers have been actively exploiting, possibly as far back as three years ago.
Multiple news organizations are reporting that a researcher studying the well-known forum software published a pre-auth RCE exploit for the bug on vBulletin’s Full Disclosure security mailing list. The exploit is very trivial to execute, and requires fewer than 20 lines of Python code.
The disclosure last Monday reportedly resulted in a wave of new exploit attempts against the software. Apparently, however, some researchers have been selling this exploit for roughly three years already, according to BleepingComputer, citing a Sept. 25 tweet from Cahouki Bekrar, CEO of exploit acquisition company Zerodium.
“The recent vBulletin pre-auth RCE 0day disclosed by a researcher on full-disclosure looks like a bugdoor… Easy to spot and exploit. Many researchers were selling this exploit for years, Bekra’s tweet stated.
The zero-day bug works on all versions of the software from 5.0.0 through 5.5.4.
Users on vBulletin’s own online forum have been discussing the vulnerability since it went public. Some customers griped that since the disclosure they have been experiencing exploit attacks. One vBulletin user said his or her organization’s entire MySQL database was deleted. Another said attackers were starting to install PHP web shells.
As of Sept. 24, vBulletin has not yet issued a fix. However, BleepingComputer reported that security researcher Nick Cano created an easy patch. SC Media has reached out to vBulletin developer MH Sub I, LLC for comment.
“This critical RCE vulnerability is surprisingly simple to exploit, and sadly very few web application firewalls (WAF) will block its exploitation,” added Ilia Kolochenko, founder and CEO of ImmuniWeb. “These days security flaws exploitable in a default configuration and without authentication are very rare in such well-establish web software. We should expect a tornado of automated hacking and web server backdooring campaigns to start now.”
“Website owners running the vulnerable versions should urgently shut down their vBulletin forums completely while the vendor is working on an emergency patch,” Kolochenko continued.
“It was just a matter of time before bad actors fixed their crosshairs on forums – rich storehouses of user information,” said Mike Bittner, associate director of digital security and operations at The Media Trust, in emailed comments. Forum software vendors, Bittner continued, too often collect information on users without site owners’ authorization, while failing to equip their products with the needed security and privacy protections…”
“In an environment where bad actors are always looking out for vulnerabilities they can exploit or well-intentioned products like vBulletin they can abuse, site owners will need to close the security gaps themselves, ideally by carefully vetting their vendors and ensuring those vendors observe digital policies,” Bittner continued.