Developers re-fix dangerous RCE vulnerability in vBulletin


Aug 1, 2020


Back in September 2019, an unknown security researcher discovered a dangerous zero-day vulnerability in vBulletin versions 5.0 through 5.4. The bug received the identifier CVE-2019-16759 and allowed to execute arbitrary PHP commands on a remote server (without logging into the forum itself).

Although a fix for this bug was released just a day after the issue was disclosed, not everyone managed to install the updates in time. As a result, the vulnerability affected the official Comodo forums, the ZoneAlarm forums, as well as the Italian and Dutch resources for sex workers (in these countries, prostitution is legal).

It would seem that more than half a year has passed since the discovery and fix of the bug, and now the vulnerability is unlikely to threaten anyone. However, over the weekend, cybersecurity expert Amir Etemadie said on his blog that the fix for issue CVE-2019-16759 is ineffective, can be bypassed, and that attackers can still exploit the bug.

To prove his point, the expert published three PoC exploits for the vulnerability: in Bash, Python and Ruby. Essentially, these exploits allow you to remotely execute commands with a simple one-line command sending a POST request to the vBulletin server.

At the same time, the researcher did not consider it necessary to notify the vBulletin developers that the problem is still urgent. That is, at the time of publication of the article and new exploits, there was no patch for the problem yet. As a result, information about the old-new 0-day vulnerability quickly spread to Reddit, Twitter, Discord, other social networks, as well as in hacker communities. And, of course, the attacks began immediately.

As a result, at least one forum was hacked using this vulnerability: it is very ironic, but the forum of the information security conference DEF CON, which ended over the weekend, was damaged.

Currently the vBulletin developers have already prepared a patch for the problem and recommend installing it as soon as possible. If the installation of the fix is impossible for some reason, Amir Itemadi advises to go to the conference settings, and there disable PHP, Static HTML and Ad Module rendering. This should also protect against possible attacks.