Search Go hack yourself with Detectify

A web security blog from Detectify

vBulletin RCE CVE-2019-16759 exploited in the wild, to Detectify

October 4, 2019

Detectify now has a built-in detection for vBulletin RCE CVE-2019-16759, thanks to a report from our Crowdsource community. Last week, a proof-of-concept exploit for a Remote Code Execution (RCE) vulnerability for vBulletin forum software CVE 2019-16759 was disclosed publicly. The vulnerability was exploited in the wild and actively being exploited by malicious attackers. 

What is the vBulletin RCE?

The vulnerability exists in a PHP widget creation functionality that takes parameters from HTTP POST request that can be trivially modified by a user. The vBulletin forum versions that are affected are from 5.0.0 till 5.5.4. The official patch for the vulnerability was released on the 25th of September by vBulletin

The public release of the exploit code resulted in companies such as Comodo having their forum and underlying server compromised. The exploitation can be scripted and automated, so anyone running a vulnerable version of vBulletin software could have their server compromised by an opportunistic attacker. 

A known vulnerability for a few years

According to Chaouki Bekrar, the CEO of the zero day exploit market Zerodium, the exploit has been sold for three years. The exploit has been most likely used over the years, but only gained more attention last week.

vbulletin RCE was on zerodium for a few years

The Impact

The vulnerability allows attackers to run arbitrary code on the servers of the affected vBulletin forums. RCE vulnerabilities lead to full takeover of the server, meaning that any data stored on the server is compromised. In addition, an attacker can leverage the computing power of the server for other criminal activities, such as installing cryptominers or botnets.

The severity of the issue is increased by the fact that no form of authentication is needed to exploit the vulnerability.

Technical details

The vulnerability is in the dynamic creation of widgets, which can be done over an HTTP request. 

The vulnerability can be exploited via ajax/render/widget_php route. The RCE payload, such as shellcode, is processed by the widget rendering when malicious payload is sent over HTTP POST request in widgetConfig[code] parameter. The proof of concept exploit can be found here.

How can Detectify help?

Thanks to Detectify Crowdsource hackers, we are now detecting the CVE-2019-16759 RCE vulnerability in vBulletin software. If your Detectify Deep Scan report shows you are running a vulnerable version of vBulletin, patch your installation by following the guidance provided by vBulletin’s official patch release.

Written by:
Laura Kankaala
Security Researcher, Detectify

Do you use vBulletin on your web applications and you’re not sure if you have a vulnerable version? You can check it with Detectify now. Just log in hereNot a customer yet? No problem! You can sign up for your account and free trial today.