A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly

A safety researcher previously today publicly disclosed aspects and proof-of-strategy exploit code for an unpatched, essential zero-working day remote code execution vulnerability impacting the commonly used web discussion board computer software vBulletin which is by now underneath lively exploitation in the wild.

vBulletin is a extensively applied proprietary Web discussion board software package based mostly on PHP and MySQL databases server that powers about 100,000 internet websites on the World wide web, such as Fortune 500 and Alexa Best 1 million organizations websites and discussion boards.

In September very last calendar year, a different anonymous security researcher publicly disclosed a then-zero-working day RCE vulnerability in vBulletin, identified as CVE-2019-16759, and obtained a important severity rating of 9.8, letting attackers to execute malicious instructions on the remote server with out requiring any authentication to log into the forum.


A day immediately after the disclosure of CVE-2019-16759, the vBulletin group introduced safety patches that resolved the concern, but it turns out that the patch was insufficient in blocking the exploitation of the flaw.

Bypassing the Patch for the CVE-2019-16759 RCE Flaw

The recently introduced zero-day, discovered, and publicly released by protection researcher Amir Etemadieh (Zenofex), is a bypass for CVE-2019-16759. The flaw did not acquire any CVE identifier at the time this website put up was published.

The most current zero-day vulnerability ought to be considered as a intense problem due to the fact it is remotely exploitable and does not require authentication. It can conveniently be exploited making use of an exploit code of a single one-line command that can final result in remote code execution in the most recent vBulletin application.

vBulletin vulnerability

According to the researcher, the patch for CVE-2019-16759 did not solve the challenges current in the “widget_tabbedcontainer_tab_panel” template, i.e., its capability to load a consumer-managed kid template and to load the child template, it will take a value from a individually named value and places it into a variable named “widgetConfig,” effectively permitting the researcher to bypass the patch for CVE-2019-16759.

The researcher also printed a few proofs-of-concept exploit payloads prepared in a number of languages, such as Bash, Python, and Ruby.

Hackers Actively Exploiting vBulletin Zero-Working day

Quickly immediately after the launch of the PoC exploit code, hackers commenced exploiting the zero-working day to concentrate on vBulletin web pages.

According to DefCon and Black Hat security conferences creator Jeff Moss, the DefCon discussion board was also attacked with the exploit just 3 hours soon after the flaw was disclosed.

“A new VBulletin Zero Working day obtained dropped yesterday by @Zenofex that exposed the CVE-2019-16759 patch was incomplete – within a few several hours https://forum.defcon.org was attacked, but we had been completely ready for it. Disable PHP rendering to shield oneself right until patched!,” explained Moss.

Official vBulletin Patch and Mitigations

The vBulletin team responded to the publicly launched zero-working day flaw right away and produced a new safety patch that disables the PHP module in vBulletin software to handle the difficulty, assuring its buyers that it will be taken off solely in the long term launch of vBulletin 5.6.4.

The discussion board maintainers suggested developers to think about all older variations of vBulletin vulnerable and up grade their web sites to run vBulletin 5.6.2 as before long as feasible. Builders can verify Fast Overview: Upgrading vBulletin Link in the assist discussion boards for far more details on upgrading.

However The Hacker Information strongly recommend people and developers to up grade their message boards to the new vBulletin version, all those who can not update straight away can mitigate the new zero-day by disabling PHP widgets inside your community forums, to do this:

Go to the vBulletin administrator management panel and click on “Options” in the menu on the still left, then “Solutions” in the dropdown.
Select “Typical Options” and then click “Edit Settings.”
Appear for “Disable PHP, Static HTML, and Advertisement Module rendering,” Set to “Of course.”
Click “Help save”

Be aware that these alterations could break some operation but will mitigate the concern right until you strategy to apply the formal protection patches.

Fibo Quantum