A security researcher has posted details and proof-of-thought exploit code for a zero-working day vulnerability in vBulletin, one of present day most well-liked discussion board program.
The zero-day is a bypass for a patch from a prior vBulletin zero-working day — particularly CVE-2019-16759, disclosed in September 2019.
The former zero-working day authorized attackers to exploit a bug in the vBulletin template system to operate malicious code and get above forums without needing to authenticate on the target internet sites (a form of bug known as a pre-auth RCE).
CVE-2019-16759 was disclosed on September 24, 2019, and a patch was furnished the subsequent day, on September 25.
New zero-day bypasses CVE-2019-16759 patch
However, in a web site post released late Sunday night time, Austin-centered protection researcher Amir Etemadieh explained the CVE-2019-16759 “was insufficient in blocking exploitation.”
The researcher mentioned he located a basic way to bypass the patch and carry on to exploit the exact CVE-2019-16759 vulnerability, and released a few evidence-of-concepts in Bash, Python, and Ruby, to verify his issue.
Etemadieh instructed ZDNet he did not call and notify the vBulletin workforce ahead of likely community with his results. MH Sub I, LLC, the corporation that commercializes the vBulletin discussion board software, has not returned a request for comment.
Forums are a widespread goal for hackers
Either way, the new zero-day code is dwell and has been broadly shared on social media web-sites like Reddit and Twitter, and within hacking communities hosted on personal forums and Discord channels.
The publication of the September 2019 zero-day triggered a enormous wave of vBulletin hacks previous yr, resulting in quite a few companies disclosing safety breaches around the next months.
Community forums, in standard, are some of the most sought following internet systems to hack. The explanation why hackers place a primer on community forums has to do with their function and the data they can steal.
As opposed to most information management devices like WordPress, Drupal, or Joomla, on the web community forums like vBulletin are designed for the sole and key reason of managing on the internet communities, and, as a end result, keep massive quantities of personalized knowledge.
A WordPress site may perhaps be applied to operate a wedding day planner’s or a lawyer’s office environment website, but even the lowliest and unimportant community forums have thousands of registered person profiles holding sensitive person aspects, along with person posts, own messages, and at times even economical data, if the boards have pay out-to-accessibility characteristics.
On the other hand, even if Etemadieh didn’t make it clear if he notified the vBulletin group about his plans to expose a zero-working day, the researcher suggests forum owners can avoid exploitation by earning the pursuing modifications to their discussion board configurations.
- Go to the vBulletin administrator management panel.
- Simply click “Options” in the menu on the left, then “Solutions” in the dropdown.
- Choose “Basic Configurations” and then click on “Edit Configurations”
- Search for “Disable PHP, Static HTML, and Ad Module rendering”, Established to “Of course”
- Click on “Save”
At the time of producing, at minimum one discussion board was confirmed to have been hacked employing this new zero-working day, the discussion board of the DEF CON safety conference, which just just lately concluded over the weekend.
Up-to-date at 19:30 ET to increase that the vBulletin group has released a patch. MITRE has assigned this new zero-working day the identifier of CVE-2020-17496.