The researcher Amir Etemadieh has published technical details and proof-of-concept exploit code for a zero-day remote code execution vulnerability in vBulletin, the popular forum software.
The new vulnerability is a bypass for a the security patch released by a vBulletin for the CVE-2019-16759 flaw, disclosed in September 2019.
The previous vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.
The flaw resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.
The CVE-2019-16759 flaw was publicly disclosed on September 24, 2019, the maintainer of the vBulletin CMS released the security patch on September, 25.
Now the researcher Amir Etemadieh explained that the patch initially released did no completely fix the issue.
“Today, we’re going to talk about how the patch that was supplied for the vulnerability was inadequate in blocking exploitation, show how to bypass the resulting fix, and releasing a bash one-liner resulting in remote code execution in the latest vBulletin software.” reads a blog post published by Etemadieh.
The experts found a trivial way to bypass the patch, it released three three proof-of-concept exploits in Bash, Python, and Ruby
Etemadieh did not report the issue to the vBulletin team before the public disclosure of the flaw.
The exploit code is rapidly circulating on social media and inside hacking forums, for this reason, experts fear that threat actors will start using it in massive attacks.
The vBulletin team has already released a security patch to address this new zero-day vulnerability, anyway forum owners can also apply the following short term fix:
At the time of publishing, at least one vBulletin-based forum has been hacked using this new zero-day, it is the site of the popular DEF CON security conference.
(SecurityAffairs – hacking, vBulletin)