vBulletin Zero-Day revealed to be exploited for years. Company releases unofficial patch

Nadejda
vBulletin Zero-Day revealed to be exploited for years. Company releases unofficial patch

A zero-day exploitfor the popular forum vBuletin has been publicly disclosed and usedto attack the affected version of the forum. It was later revealedthat this exploit has been known and exploited by hackers for years.

A user disclosedpublicly a zero-day remote code execution on vBulletin’s FullDiclosure security mailing list. This critical vulnerability allowsattackers to execute any command on the website, download malicioussoftware or tamper with the site’s code.

A lot of users have reported theirforums being attacked using this vulnerability, with one evenclaiming that their entire forum database has been deleted.Thousandsof high-profile companies and organizations are using this forumsoftware such as NASA, EA, Pearl Jam, Sony Pictures and many more.

vBulletinhas responded with the release of an unofficial patch, which can bedownloaded here.

Theremote code vulnerability exits in theincludes/vb5/frontend/controller/bbcode.phpfile, and it’s caused by evalCode($code)function, which evaluates JavaScript code represented as a string.

Whenthe function is executed, it can launch any command passed in the$code using the eval () function. This can be any available commandlike adding users, downloading or executing files and scripts. However,a very easy patch was created to fix the issue. It comments out theeval () statement in the evalCode function.

Youcan add the patch yourself by editing the fileincludes/vb5/frontend/controller/bbcode.php.

Youwill see the function:



Edit the function so that the evalcode is commented out like this:



Once this is done, this vulnerability will no longer be an issue andcannot be exploited. vBulletinstrongly advised that users apply this patch immediately.



Knownfor years

Afterthis news made headlines, the CEO of Zerodium, an Americaninformation security company, Chaouki Bekrar, took to twitter toshare that his team has known about this exploit for 3 years, and agreat number of researches have made profit by selling the exploit.



While the public disclosure of the vulnerability has increased the attacks, ithas most likely already been used for years.

A zero-day exploitfor the popular forum vBuletin has been publicly disclosed and usedto attack the affected version of the forum. It was later revealedthat this exploit has been known and exploited by hackers for years.