Public Disclosure of Two Major 0-Day Remote Exploits for vBulletin Forum

Critical Vulnerabilities Discovered in vBulletin Forum Software

Security experts have unveiled two significant vulnerabilities in the popular vBulletin forum software, crucial for businesses that rely on this platform for online discussions. These unpatched flaws, found in version 5 of the software, present serious security risks, including the potential for remote code execution by malicious actors.

vBulletin, a proprietary forum software built on PHP and MySQL, serves over 100,000 websites worldwide, including platforms for renowned Fortune 500 companies. The finding comes from a researcher associated with the Italian security firm TRUEL IT, along with another independent researcher, who utilized Beyond Security’s SecuriTeam Secure Disclosure program to publicize the vulnerabilities.

The first vulnerability allows unauthorized users to execute arbitrary PHP code through a file inclusion flaw. An attacker can exploit this weakness by sending a manipulated GET request to the server, enabling them to include any file from the vBulletin server during their attack. This poses an immediate risk, especially for installations running on Windows OS, where the attacker can craft such requests to gain additional control over the environment. Although proof-of-concept exploit code has been shared, a Common Vulnerabilities and Exposures (CVE) identification has not yet been assigned to this issue.

The second issue, designated CVE-2017-17672, is a deserialization vulnerability that can permit an unauthenticated attacker to delete arbitrary files or even execute code in specific scenarios. This vulnerability arises from unsafe handling of PHP’s unserialize() function on user-supplied data. Notably, the vB_Library_Template’s cacheTemplates() function, which is publicly accessible, inadvertently allows attackers to fetch and manipulate template information from the database, which could lead to severe data breaches.

This series of vulnerabilities highlights the crucial need for timely vendor responses to address potential exploits before they are taken advantage of in real-world attacks. Beyond Security has stated that they have attempted to inform vBulletin of these issues since November 2017 but received no acknowledgment or corrective actions.

Businesses using vBulletin should remain vigilant as these vulnerabilities could offer initial access to systems through malicious GET requests, aligning with MITRE ATT&CK techniques for exploitation. The sloppy handling of user data underscores significant risks associated with unauthorized access, potentially affecting system integrity and leading to unauthorized data manipulation or denial of service conditions.

In conclusion, the gravity of these vulnerabilities underscores the importance of active monitoring and timely patching of software employed for online interactions. Businesses must ensure they are aware of such risks within their technology stack, particularly given the implications for data security and operational resilience in an increasingly interconnected digital landscape.

Source link