[Unpatched] vBulletin 5.x 0day pre-auth RCE exploit

Discussion in 'vBulletin' started by ManagerJosh, Sep 25, 2019.

  1. Paul M

    Paul M Limeade Addict

    3,819
    1,627
    +2,233
    Umm, they did respond, by patching it.
    They only patched the last 3 versions though, not great for something affecting every 5.x version.

    It was only made public a couple of days ago. Like you, they dont have time machines to see into the future.

    Of course, this topic bought the usual anti IB/VB trolls out, with their expecting trolling.
    The facts are simple, an exploit was made public, a patch was released (well within 2 days as far as I can tell).
     
  2. Kevin

    Kevin Oooh, something shiny!

    3,352
    912
    +1,225
    Umm, no, at the time I wrote that there was zero response from vB. For something to that scale there should have been some company response way sooner. Not necessarily an official patch but at least some kind of acknowledgement.

    Of course, this topic bought the usual vB apologists and Devil's Advocates, with their expecting excuses.
    The facts are simple, an exploit was made public, a patch was released (well after customers were trying to figure it out on their own).
     
  3. Paul M

    Paul M Limeade Addict

    3,819
    1,627
    +2,233
    Of course, i forgot, you think patches are created by waving a magic wand, not that someone has to actually investigate the issue, write a patch, and test it to make sure it (a) works (b) does break anything else (across multiple versions). You should apply to join the vB team as you can obviously do this in minutes.
     
  4. Kevin

    Kevin Oooh, something shiny!

    3,352
    912
    +1,225
    Who said a patch? Acknowledging the issue and advising customers does not mean an immediate patch. But of course you know that already and, being able to read English, you can see clearly that I didn't say having a patch sooner than they did. But, obviously, for you that doesn't matter, since you seem to think that the eventual vB response was acceptable.
     
  5. Paul M

    Paul M Limeade Addict

    3,819
    1,627
    +2,233
    Correct.

    Well, almost .....
     
    • Pure Genius! Pure Genius! x 1
    • List
  6. Joel R

    Joel R Fan

    708
    257
    +753
    The private security market is always going to have advance notice of exploits. They have access to far more resources and technology and intelligence apparatuses, and to be honest I'd rather the NSA be at the forefront of hacking than ... some random Twitter user or the Chinese. (Sorry to any Chinese nationals!)

    A company can't totally control anything that isn't disclosed to them. What really matters is how they respond once they become aware, and I think how a company responds speaks volumes to their business practices. Do they hide the issue? Quietly release a patch? Or write a detailed and public diagnosis of what happened, how it happened, and what they're doing to prevent any future problems?

    I've always been super impressed with Cloudflare. They're famous for writing detailed blog posts that diagnose exactly what went wrong, how it went wrong, what steps they took to fix it, and what they will do to prevent future problems. As a casual user of their service, I could care less about the technical details. But the fact that they did such a deep introspective x-ray into their operations - and to do so in a public manner - gives me assurance and confidence as a paying customer that they truly did their due diligence. That is something I absolutely care about as a customer.

    Every company, organization, and yes, even forums, will inevitably face large embarrassing problems at one time or another. How you respond, self-analyze, and learn from these problems in an authentic manner helps your members, community, and customers tighten their trust in you during one of your most vulnerable moments.
     
  7. zappaDPJ

    zappaDPJ Administrator

    6,841
    1,432
    +5,434
    I think it's worth mentioning that anyone running vB 5.x needs to do a lot more than simply apply the patch. While the patch should fix the exploit it may not secure your server. In fact I would assume that your server is insecure even if think you haven't been hacked. I'm basing this on multiple reports from vB 5 forum owners.

    If you require more detail I strongly recommend reading though the threads in the customer area of vbulletin.com.

    If you are a member of any vB 5 forum you should change your password once you are sure the server has been secured.
     
  8. mysiteguy

    mysiteguy Administrator

    2,950
    1,387
    +2,277
    Totally agree, with the number of forums already hit, it makes sense for anyone running VB 5.x to do a security audit.
     
  9. Joeychgo

    Joeychgo TAZ Administrator

    6,771
    1,532
    +3,456
    Honest question Paul -- Why do you think it is we often find out about VB vulnerabilities -- But almost never hear about XF or IPB vulnerabilities ?
     
  10. zappaDPJ

    zappaDPJ Administrator

    6,841
    1,432
    +5,434
    I think because vBulletin has been so popular in the past and because it's been around since the dawn of time it's only natural that it's been exploited to the max.

    Other products obviously do have vulnerabilities but the payload is rarely as catastrophic as it seems to be with vBulletin and that's what concerns me the most. This latest exploit was quickly patched but the damage done was probably the worst I've ever seen.
     
  11. doubt

    doubt Tazmanian

    4,784
    562
    +2,057
    It's very similar to the Windows exploits.
    Many years ago there were lots of Windows machines around and a relatively small number of Apple machines.
     
  12. Smokey

    Smokey Enthusiast

    164
    33
    +13
    Glad I sold my license off before the release of vBulletin 5 all those years ago.
     
  13. R0binHood

    R0binHood Habitué

    1,289
    432
    +1,031
    I wonder if this was ever used against the official site and if any sensitive or customer info was taken.
     
    • Also Wondering! Also Wondering! x 2
    • List
  14. LeadCrow

    LeadCrow Apocalypse Admin

    6,439
    1,232
    +2,179
    I was wondering the same. Even if this vulnerability was patched, the servers could have been and remained in a compromised state.
     
  15. fixer

    fixer I'm In My Prime

    1,879
    677
    +1,162
    "vBulletin Emergency Support Team" being notified of 3 year old exploit...

    giphy-2.gif
     
  16. MagicalAzareal

    MagicalAzareal Magical Developer

    427
    332
    +199
    vB is fundamentally less secure in a number of ways and it's also low hanging fruit.
    Why pursue harder targets when you can get more bang for your buck there?
     
  17. feldon30

    feldon30 Adherent

    431
    172
    +433
    IB/VB's reaction to this exploit was about on par. But vB5's architecture made an exploit like this inevitable. When your approach to a bold new version of what used to be the flagship internet forum software is "how many JavaScript programmers can we hire for $50 a day?" well, these things happen.
     
    Last edited: Sep 29, 2019
  18. zappaDPJ

    zappaDPJ Administrator

    6,841
    1,432
    +5,434
    They have said not and they may truly believe it but judging by what I've read of this exploit they may never know for sure. In reality it really wouldn't matter much. Their customer database has been hacked so many times in the past what differenced would it make?
     
  19. zappaDPJ

    zappaDPJ Administrator

    6,841
    1,432
    +5,434
    So as expected, people are applying the patch only to find their site is still compromised. The notice at the head of the forum and the linked announcement are totally inadequate, both need to be expanded upon. In addition, in spite of what has been said in these forums, forum owners are having their tickets closed if they don't have paid support. vBulletin really are their own worst enemy.
     
    • Informative! Informative! x 1
    • List
  20. BirdOPrey5

    BirdOPrey5 #Awesome

    4,212
    912
    +1,732
    If anyone who was hacked had their ticket closed I would suggest they try again today. Be sure not to use abusive language as that would be a reason for closing the ticket, not the lack of a support contact.
     
    • Like Like x 1
    • Informative! Informative! x 1
    • List
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.