[Unpatched] vBulletin 5.x 0day pre-auth RCE exploit

Discussion in 'vBulletin' started by ManagerJosh, Sep 25, 2019.

  1. ManagerJosh

    ManagerJosh Adherent

    324
    105
    +127
    • Informative! Informative! x 3
    • List
  2. Kevin

    Kevin Oooh, something shiny!

    3,337
    912
    +1,212
  3. ManagerJosh

    ManagerJosh Adherent

    324
    105
    +127
    Also for those of you who are using vBulletin, I would strongly recommend going to DEF CON 1/RED ALERT. Raise Shields. Arm Torpedoes. Batten down hatches.

    Take your forums firmly offline, get incident response firms to start erecting super high defenses, have them check your servers over with a very fine tooth comb, NGAV. Firewalls and WAFs are not going to cut it.

    Adversaries are actively exploiting this flaw and planting web shells and other backdoors into your environment. The 0day gives Remote Command Execution - which means they can run commands remotely and install files, and access files on your server. Depending on how your server is configured, it means potentially EVERYTHING could be exposed, usernames, password hashes, database creds, etc.
     
  4. ManagerJosh

    ManagerJosh Adherent

    324
    105
    +127
    FYI - Wayne closed both threads... o_O
     
  5. Kevin

    Kevin Oooh, something shiny!

    3,337
    912
    +1,212
    And moved the public thread to the closed off customer forum.

    "Quick, brush it under the rug, maybe nobody will notice!"
     
  6. ManagerJosh

    ManagerJosh Adherent

    324
    105
    +127
    For those of you who believe you're compromised or if you want to be somewhat preventative, feel free to DM me to see how we could raise some shields and see about properly cleaning your server.
     
  7. Joel R

    Joel R Fan

    690
    257
    +731
    I'd be curious to see how the security / development team responds to the information.

    How a company responds speaks volumes as to their overall business practice of engaging w/ disengaging with the community of their clients.
     
  8. we_are_borg

    we_are_borg Administrator

    5,339
    1,417
    +2,115
    Knowing them it will take lots of time to get a patch going. Until some hacker has the smart idea of hacking the servers of vBulletin.
     
    • Pure Genius! Pure Genius! x 1
    • List
  9. Alfa1

    Alfa1 Administrator

    3,832
    1,702
    +2,692
  10. doubt

    doubt Tazmanian

    4,773
    562
    +2,054
    Strange that they found it only now.
     
  11. Karll

    Karll Adherent

    397
    167
    +170
    The Percona Forum was affected - I assume this is the same 0-day vulnernability:

    https://www.percona.com/blog/2019/09/25/incident-involving-percona-forums-on-september-24-2019/

    (Percona is a very prominent provider of support, consulting, managed services, training and software for open-source / source-available database systems such as MySQL, MariaDB, PostgreSQL and MongoDB. You may have heard of e.g. Percona Server for MySQL, the Xtrabackup tool for database backup, PMM or the Percona Toolkit.)
     
    • Informative! Informative! x 1
    • List
  12. feldon30

    feldon30 Adherent

    427
    172
    +428
    • Informative! Informative! x 6
    • List
  13. ManagerJosh

    ManagerJosh Adherent

    324
    105
    +127
  14. R0binHood

    R0binHood Habitué

    1,275
    432
    +1,004
    At what point does a software company get big enough or have enough customers relying on their software that it becomes their responsibility to pay professional pen testers and security researchers to stress their code?

    If researchers were were selling it and Zerodium customers were aware of it for as long as three years, surely they could have detected this far earlier if they were more proactive with their security practices?
     
  15. doubt

    doubt Tazmanian

    4,773
    562
    +2,054
    I don't get it:
    Is it 3 years new(well, 3 years old) or has it been discovered recently?
     
  16. Karll

    Karll Adherent

    397
    167
    +170
    My understanding was that it has been patched recently, but that this vulnerability had been known about "in the wild" for 3 years.
     
  17. doubt

    doubt Tazmanian

    4,773
    562
    +2,054
    My understanding was after reading the article that it's NEW.
     
  18. BirdOPrey5

    BirdOPrey5 #Awesome

    4,208
    912
    +1,730
    Zerodium isn't "in the wild." It is uber expensive private, tightly guarded community that does not leak the exploits they know about because doing so will mean immediate patching like we saw yesterday. For 99.99% of the world it was new.
     
  19. feldon30

    feldon30 Adherent

    427
    172
    +428
    Then reread it. This is an exploit which hackers (and customers of Zerodium) have been able to use for the last 3 years. What's changed is, the exploit became publicly known and vbulletin has patched it. I do think vbulletin owes an apology to people who have claimed to get hacked and gotten a flat denial from them. Now we know there has been a way for talented hackers or people with money to get into any vB5 site for years.
     
  20. BirdOPrey5

    BirdOPrey5 #Awesome

    4,208
    912
    +1,730
    News flash- there has always AND WILL ALWAYS be a way for talented hackers and people with money to get into anything be it from a vBulletin exploit, a PHP exploit, or an OS exploit- all of which sites like Zeordium collect.

    Also, as far as I know, vBulletin has never told anyone they didn't get hacked because of vBulletin... That said it still remains likely that most, if not every, site that noticed they were hacked in recent years (prior to 2 or 3 days ago) wasn't due to this. Frankly it was too valuable an exploit to do something like insert spam or deface a page and risk it becoming known.

    Above is of course my OPINION as most anything I write here is unless otherwise stated.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.