SonicWall Capture Labs Threat Research team observes attackers actively exploiting the recent remote code execution vulnerability reported in vBulletin. VBulletin is a popular forum software used by about 20,000 websites. It is written in PHP and uses the MySQL database.
CVE-2020-17496 | Vulnerability:
A remote code execution vulnerability has been reported in vBulletin. This vulnerability is due to improper validation of subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. It is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed in September 2019. When an attacker sends a crafted ajax request that contains the template name widget_php with malicious code placed in the parameter widgetConfig[‘code’], the render engine will execute the malicious code in the request. It was fixed by checking the name, If the name is widget_php, the engine won’t render the requested template. That made widget_php the only template that could be utilized for PHP code execution. In the latest bypass, the tabbedcontainer_tab_panel template widget is found to be capable of loading “a user-controlled child template, effectively bypassing the patch for CVE-2019-16759.
Exploit:
In the below post request, the child template name is widget_php and the malicious code can be passed through subWidget elements allowing remote code execution.
A remote, unauthenticated attacker could exploit this vulnerability by sending the above crafted request to the vulnerable server. Successful exploitation could result in remote code execution.
Trend Chart:
SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:
IPS: 15163 vBulletin widget_tabbedContainer_tab_panel Remote Command Execution
Affected Products:
All versions of vBulletin prior to the 5.6.x are affected by this vulnerability. Users should migrate over to a patched version as soon as possible.