vBulletin Pre-Authentication – Remote Code Execution (CVE-2019-16759)
On Monday, September 23rd, an anonymous security researcher posted a working exploit for vBulletin Content Management System on Full Disclosure mailing list. Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The vulnerability affects versions 5.0.0 to 5.5.4. At the time of writing this article, previous versions of vBulletin were not deemed vulnerable by this exploit.
Furthermore, Security Researchers at F5 Networks have already detected a threat campaign targeting this zero-day vulnerability.
Vulnerability
Based on preliminary analysis, the vulnerability lies in the file ‘/includes/vb5/frontend/controller/bbcode.php’. Function evalCode within the PHP file accepts $code as the parameter and executes it using the PHP eval() function. The code sent to this function thus executes with the same permissions as the user running vBulletin process.
Figure 1 evalCode function within bbcode.php file
Mitigation with BIG-IP ASM
ASM customers under any supported BIG-IP version are already protected against this vulnerability.
While exploiting this vulnerability, an attacker will try to send a malicious HTTP POST request with a parameter named ‘routestring’ with the value ‘ajax/render/widget_php’. An attacker will also send along the code to be executed by a server running a vulnerable version of vBulletin.
Figure 2 Request example containing the exploitation attempt
Figure 3 Another example request containing the exploitation attempt
The exploitation attempt will be detected by many existing signatures to detect “Command Execution” and “Server Side Code Injection”
Figure 4 Exploit blocked with Attack Signature (20004029)
Figure 5 Exploit blocked with Attack Signature (20003909)