Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly (Version 5)

Discussion in 'vBulletin' started by H-DB, Dec 18, 2017.

  1. H-DB

    H-DB Participant

    92
    23
    +69
    • Informative! Informative! x 2
    • List
  2. zappaDPJ

    zappaDPJ Administrator

    5,741
    1,212
    +4,175
  3. highlander29

    highlander29 Enthusiast

    145
    83
    +48
    What the heck?

    "The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company."
     
  4. Belazor

    Belazor DragonByte Technologies Programming Director

    158
    55
    +190
  5. zappaDPJ

    zappaDPJ Administrator

    5,741
    1,212
    +4,175
    That's what vBulletin support are claiming but the OP linked report states:

    The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company.
     
  6. Belazor

    Belazor DragonByte Technologies Programming Director

    158
    55
    +190
    True, but in this case I see no reason to believe the original report over vB Support as I do not know anything about the person or persons behind Beyond Security. Benefit of the doubt and all that :)

    So I chose to write my post in the most favourable light for IB, which is still pretty bad.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  7. Alfa1

    Alfa1 Moderator

    3,084
    1,202
    +2,008
    I remember a similar thing happened with previous major security exploits. vb only patched after publication of zero day. IIRC it was in 2015 when a wave of forums got hacked. This was one reason why I left vbulletin. I really didn't feel comfortable that vbulletin had my back. On the contrary.
     
    • Informative! Informative! x 1
    • List
  8. WD

    WD Enthusiast

    241
    75
    +371
    Damn I just heard about this. I wanted to roast vBulletin again. I see they're still idiots and don't care about customers. Let's hope IB gets sued by outraged vB customers.

    ai.imgur.com_gzBv1jY.gif

    BirdOPrey5BirdOPrey5 you still work at vB? can a fix be expected before Christmas? or the muppets in charge awaiting the site to be hacked for the millionth time? or are they just rolling in cash while not caring still?
     
  9. MarkFL

    MarkFL La Villa Strangiato

    812
    412
    +1,042
    • Informative! Informative! x 2
    • Like Like x 1
    • List
  10. Paul M

    Paul M Dr Pepper Addict

    3,446
    1,097
    +1,699
    I see all the usual nonsense in this thread.
    Unless you know how VB processes work then you have no basis to make comments like "they're still idiots and don't care about customers"

    Anyone can claim they tried to make contact, I could open my window and shout out of it at vB support and claim "I tried to make contact".

    Once an exploit has actually been reported, it requires time to investigate it, replicate it, decide how to fix it (without breaking anything else, or introducing more issues) then it has to be tested, it has to be back ported to at least 3 previous versions, tested on them as well, and then all the work to actually package it up and release it.

    Anyone who thinks this is a five minute job is utterly clueless.

    (and no, I dont have any particular love for IB anymore, I just cannot abide people making uninformed, attacking, comments).
     
    • Like Like x 8
    • Winner Winner x 1
    • Pure Genius! Pure Genius! x 1
    • List
  11. VICE

    VICE tool

    2,729
    352
    +687
    This has been on my mind since the first time I read this thread. It's amazing that even after two million years has passed, some people are still hating IB so much that their hatred completely impairs their reasoning. It's not surprising also that most of these remnant haters happens to be third party developers whilst the actual former customers had moved on a long time a go.

    But what does "tried to contact" actually mean here? Was it a responsible disclosure? Was there any monetary demand? What caused the "no response" from IB? These are the questions that interest me the most instead of the typical IB bashing circle-jerk.
     
    Last edited: Dec 20, 2017
  12. Alfa1

    Alfa1 Moderator

    3,084
    1,202
    +2,008
  13. I A 1

    I A 1 Participant

    78
    8
    +22
    Viewing Who's Online today I noticed several guests trying to access something like the following:
    Code:
    https://www.domain.com/index.php?id=1%27%7C%7C%28SELECT%20%27ayRR%27%20WHERE%209663%3D9663%20OR%20EXP%28%7E%28SELECT%20%2A%20FROM%20%28SELECT%20CONCAT%280x7171627a71%2C%28SELECT%20%28ELT%281334%3D1334%2C1%29%29%29%2C0x71627a6a71%2C0x78%29%29x%29%29%29%7C%7C%27
    
    Was that related to this exploit? I am running vB4.
     
  14. Ryan Ashbrook

    Ryan Ashbrook IPS Developer

    3,627
    1,127
    +567
    Not likely - often times, people will issue bots that make basic attempts at blind SQL Injections, so that is what you're likely seeing. I would look into the IP Address of the user and ban them at the server level, if they seem suspicious.
     
  15. I A 1

    I A 1 Participant

    78
    8
    +22
    I found multiple IP addresses trying to make similar attacks at the same time. It doesn't seem practical to block so many IPs. What else can be done to block such attacks?
     
  16. doubt

    doubt Tazmanian

    4,240
    452
    +1,736
    Question & Answer for registration.
     
  17. LeadCrow

    LeadCrow Apocalypse Admin

    6,065
    1,132
    +1,900
    You could start with your webhost's web firewall, since it will be a supported solution (like Imunify360).

    Cloudflare can block a lot of malicious traffic and mitigate the performance loss from bots visiting or DDOSing your site. It's a handy first defense.
     
    • Informative! Informative! x 1
    • List
  18. I A 1

    I A 1 Participant

    78
    8
    +22
    They don't register.

    I am on self managed VPS, so I am all on my own. I am not using cloudflare either.

    So far I have tried using iptables with the following rule but it seems this doesn't block them out.
    Code:
    iptables -I INPUT -p tcp --dport 443 -m string --to 170 --algo bm --string 'GET /index.php/?id=1' -j DROP
    Tried adding another rule for port 80 with no luck. I got this from the tutorial here: https://blog.nintechnet.com/how-to-...s-dfind-and-other-web-vulnerability-scanners/


    Any security expert here who can help?
     
  19. Alfa1

    Alfa1 Moderator

    3,084
    1,202
    +2,008
    My site is under attack almost any day of the year, so here are my suggestions based upon my experience with vbulletin:
    Asides from LeadCrowLeadCrow 's excellent suggestion to add cloudfare, consider to install these addons:
    vb bad behavior to automatically block bad users and bots. It saved my ass many times.
    vbsecurity so that you can add many levels of protection (2FA) and get alerted about anything suspect.

    Also block IP ranges at server level.

    LiteSpeed Web Server may be an idea as it offers a good set of security settings to automatically ban suspect users. I always was very happy with it when running vbulletin.

    And ofcourse add directory passwords through .htaccess for anything that needs to be secured. Especially admincp and modcp
     
    • Informative! Informative! x 2
    • List
  20. Paul M

    Paul M Dr Pepper Addict

    3,446
    1,097
    +1,699
    What actual issue are they causing you ?

    You can never stop attempted attacks, unless you block everyones access, which would be rather pointless.

    At the end of they day, they are not actually getting anywhere, just loading a few useless pages.
    You should consider if spending all this time and effort in trying to block them is really worth all the effort.
     
Verification:
Draft saved Draft deleted