A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin. The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. This previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).
But a researcher has said that CVE-2019-16759 is inadequate in blocking exploitation and that he had found a simple way to bypass the patch to continue exploiting the same vulnerability, proven by him publishing three proofs-of-concept in Bash, Python, and Ruby.
Combined with the peak of summer holidays and Covid-19 disruption, this vulnerability may have quite disastrous and long-lasting consequences compared to similar ones disclosed in the past. The volume of personal data available in web forums is huge. Attackers will launch large-scale and automated hacking campaigns to later run password re-use and identity theft attacks, and extort money from those victims whose sensitive data was exposed in the forum’s private messages for example.
Worse, given that the security flaw allows a non-authenticated remote attacker to run arbitrary code on the server, not only the forum may be compromised but the entire web server and its environment. Cybercriminals commonly don’t take a summer vacation, and exploitation in the wild has reportedly already started. We can expect that the vast majority of vulnerable forums will be hacked and backdoored within the next 24 hours.
Administrators of the affected resources shall urgently apply the vendor-supplied patch, and consider putting the entire web server offline for investigation whether their forum has been compromised. Modern-day attackers usually install patches once their target is under control to preclude “competitors” from getting in. Thus, if your forum is somehow invulnerable, it’s rather an alarming sign.