Posts

CVE-2020-17496 – vBulletin RCE vulnerability actively being exploited in the wild

SonicWall Capture Labs Threat Research team observes attackers actively exploiting the recent remote code execution vulnerability reported in vBulletin. VBulletin is a popular forum software used by about 20,000 websites. It is written in PHP and uses the MySQL database. 

CVE-2020-17496 | Vulnerability:

A remote code execution vulnerability has been reported in vBulletin. This vulnerability is due to improper validation of subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. It is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed in September 2019. When an attacker sends a crafted ajax request that contains the template name widget_php with malicious code placed in the parameter widgetConfig[‘code’], the render engine will execute the malicious code in the request. It was fixed by checking the name, If the name is widget_php, the engine won’t render the requested template. That made widget_php the only template that could be utilized for PHP code execution. In the latest bypass, the tabbedcontainer_tab_panel template widget is found to be capable of loading “a user-controlled child template, effectively bypassing the patch for CVE-2019-16759.

Exploit:

In the below post request, the child template name is widget_php and the malicious code can be passed through subWidget elements allowing remote code execution.

 

 

A remote, unauthenticated attacker could exploit this vulnerability by sending the above crafted request to the vulnerable server. Successful exploitation could result in remote code execution.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15163 vBulletin widget_tabbedContainer_tab_panel Remote Command Execution

Affected Products:

All versions of vBulletin prior to the 5.6.x are affected by this vulnerability. Users should migrate over to a patched version as soon as possible.

vBulletin Remote command execution vulnerability

vBulletin is a proprietary Internet forum software. It is written in PHP and uses a MySQL database server. Once installed and configured, the forum is accessible via Hypertext Transfer Protocol (HTTP).

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request ( CVE-2019-16759 )

A remote command execution vulnerability exists in vBulletin . An attacker can exploit this vulnerability by specially crafted httpPOST request. For exploiting authentication is not required therefore it is a pre-auth remote command injection. The commands would be executed with the same privileges as the vBulletin service. This could result in hackers taking over vulnerable web forums.

Examining the PoC code we understand that malicious parameters commands could be passed to widgetConfig[code] which will then get posted via the routestring POST request.

The POST request looks like this

Followed by the exploit code.

Some examples of exploits in the wild

after decoding :

another example:

after decoding :

In both examples attacker tries to execute web shell commands.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

  • IPS 14453 vBulletin widgetConfig Remote Command Execution 1
  • IPS 3185 Web Application Remote Code Execution 14

IoCs:

  • 182.161.18.135
  • 191.37.220.126
  • 14.231.65.23
  • 129.0.76.131

Threat Graph: