A security researcher has published proof-of-concept code to outsmart a patch issued last year for a zero-day vulnerability discovered in vBulletin, a popular software for building online community forums.
Calling a patch for the flaw a “fail” and “inadequate in blocking exploitation,” Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms– Bash, Python and Ruby–for the patch in a post published Sunday night.
On September 23, 2019, an unidentified security researcher released exploit code for a flaw that allowed for PHP remote code execution in vBulletin 5.0 through 5.4, Etemadieh wrote.
The zero-day, CVE-2019-16759, is called a pre-auth RCE bug, which can allow an attacker to run malicious code and take over forums without needing to authenticate on the sites that are under attack.
“This bug (CVE-2019-16759) was labeled as a ‘bugdoor’ because of its simplicity by a popular vulnerability broker and was marked with a CVSS 3.x score of 9.8 giving it a critical rating,” he said in the post.
A patch was issued two days later, Sept. 25, 2019, that “seemed, at the time, to fix the proof of concept exploit provided by the un-named finder,” Etemadieh said.
It appears that it didn’t however, as Etemadieh outlined how it can be bypassed on the three developer platforms in three separate proof-of-concepts.
The key problem with the patch issued for the zero day is related to how the vBulletin template system is structured and how it uses PHP, he wrote in the post.
“Templates aren’t actually written in PHP but instead are written in a language that is first processed by the template engine and then is output as a string of PHP code that is later ran through an eval() during the ‘rendering’ process,” according to the post. “Templates are also not a standalone item but can be nested within other templates, in that one template can have a number of child templates embedded within.”
The patch is “short-sighted” because it faces problems when encountering a user-controlled child template, Etemadieh wrote. In this case, a parent template will be checked to verify that the routestring does not end with a widget_php route, Etemadieh said.
“However we are still prevented from providing a payload within the widgetConfig value because of code within the rendering process, which cleans the widgetConfig value prior to the templates execution,” he wrote in his post.
Etemadieh goes on to show how another template that appears in the patch is “a perfect assistant in bypassing the previous CVE-2019-16759 patch” thanks to two key features: the template’s ability to load a user-controlled child template, and how it loads the child template by taking a value from a separately named value and placing it into a variable named “widgetConfig.”
“These two characteristics of the ‘widget_tabbedcontainer_tab_panel’ template allow us to effectively bypass all filtering previously done to prevent CVE-2019-16759 from being exploited,” he wrote.
It’s unclear if Etemadieh informed vBulletin before posting the workarounds; however, a report in ZDNet suggests that he did not. No matter, he did provide a quick fix for his bypass of the patch in his post, showing how to disable PHP widgets within vBulletin forums that “may break some functionality but will keep you safe from attacks until a patch is released by vBulletin,” he wrote.
To apply the fix, administrators should:
- Go to the vBulletin administrator control panel.
- Click “Settings” in the menu on the left, then “Options” in the dropdown.
- Choose “General Settings” and then click “Edit Settings”
- Look for “Disable PHP, Static HTML, and Ad Module rendering”, Set to “Yes”
- Click “Save”
Online forums are a popular target for hackers because of they typically have a wide and diverse user base and store a large amount of personally identifiable information about those users.
Indeed, hackers wasted no time in using Etemadieh’s bypass to try to hack into the forum at the DEF CON security conference, according to a post on Twitter by DEFCON and Black Hat founder Jeff Moss. However, administrators quickly applied Etemadieh’s advice to disable PHP to thwart the attack, he tweeted.
“Disable PHP rendering to protect yourself until patched!” Moss advised.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.