Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
Harsh_Chawla
F5 Employee
F5 Employee

On Monday, September 23rd, an anonymous security researcher posted a working exploit for vBulletin Content Management System on Full Disclosure mailing list. Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The vulnerability affects versions 5.0.0 to 5.5.4. At the time of writing this article, previous versions of vBulletin were not deemed vulnerable by this exploit.

Furthermore, Security Researchers at F5 Networks have already detected a threat campaign targeting this zero-day vulnerability.


Vulnerability


Based on preliminary analysis, the vulnerability lies in the file ‘/includes/vb5/frontend/controller/bbcode.php’. Function evalCode within the PHP file accepts $code as the parameter and executes it using the PHP eval() function. The code sent to this function thus executes with the same permissions as the user running vBulletin process.


0151T000003l370QAA.png

Figure 1 evalCode function within bbcode.php file


Mitigation with BIG-IP ASM


ASM customers under any supported BIG-IP version are already protected against this vulnerability.


While exploiting this vulnerability, an attacker will try to send a malicious HTTP POST request with a parameter named ‘routestring’ with the value ‘ajax/render/widget_php’. An attacker will also send along the code to be executed by a server running a vulnerable version of vBulletin.


0151T000003l36qQAA.png

Figure 2 Request example containing the exploitation attempt

0151T000003l374QAA.png

Figure 3 Another example request containing the exploitation attempt


The exploitation attempt will be detected by many existing signatures to detect “Command Execution” and “Server Side Code Injection”


0151T000003l375QAA.png

Figure 4 Exploit blocked with Attack Signature (20004029)


0151T000003l371QAA.png

Figure 5 Exploit blocked with Attack Signature (20003909)




Version history
Last update:
‎26-Sep-2019 08:13
Updated by:
Contributors